Effective Date: June 18th, 2021


This Data Use Addendum (“Addendum”) supplements the Terms of Service (the “Terms”) entered into by and between Crunchbase, Inc. (“Crunchbase”) and you (“Customer”). If your use of the Services is part of a subscription purchased by an organization or entity, “Customer” refers to that organization or entity. Crunchbase enters into this Addendum on behalf of itself and, to the extent required under Applicable Privacy Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This Addendum incorporates the terms of the Terms, and any terms not defined in this Addendum shall have the meaning set forth in the Terms. In the event of a conflict between the terms and conditions of this Addendum and the Terms, the terms and conditions of this Addendum shall supersede and control.  

ARTICLE I – DEFINITIONS

“Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

“Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person. 

“Applicable Privacy Law(s)” means the CCPA, GDPR, and any other data protection, privacy, data breach, or similar or related laws applicable to a party’s use or other processing of Personal Data.

“CCPA” means the California Consumer Privacy Act of 2018, as amended, together with its implementing regulations.

“Controller” means any person who would fall under the definition of a “Controller” as set forth in the GDPR, a “Business” as set forth in the CCPA, or any similar definition under any other Applicable Privacy Law.

“Content” has the meaning set forth in the Terms.

“Data Subject” means an identified or identifiable person to whom Personal Data relates. 

“GDPR” means EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016.

“Included Data” means any Personal Data included in the Content and provided to or otherwise accessed by Customer under the Terms.

“Personal Data” means any information relating to a Data Subject which is subject to Applicable Privacy Law.  

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

“Processor” means any person who would fall under the definition of a “Processor” as set forth in the GDPR, a “Service Provider” as set forth in the CCPA, or any similar definition under any other Applicable Privacy Law. 

“Protected Data” means any Personal Data which Crunchbase Processes in its capacity as a Processor on behalf of Customer, and, for clarity, excludes Included Data, Anonymous Data and Personal Data collected, used, and shared in accordance with Crunchbase’s Privacy Policy.

“Services” means the Service defined in the Terms.

“Supervisory Authority” means an independent public authority which is established by a member state of the European Union, United Kingdom, Iceland, Liechtenstein, or Norway.  

The parties acknowledge that in the context of the Services, Crunchbase determines the purposes and means of Processing of certain types of Personal Data, in particular but not limited to business contact details of Customer’s and Customer Affiliates’ personnel and contractors in order to allow Crunchbase to administer and perform the Services. When Processing Personal Data in this manner, Crunchbase is a Controller of such Personal Data and the terms of this Addendum shall not apply to such Processing. Depending on the Services, Crunchbase may also process Protected Data in the capacity of a Processor. The provisions of Article II below shall apply when Crunchbase Processes such Protected Data in a capacity of a Processor. The parties acknowledge that each party Processes Included Data in a capacity as a Controller, and that with respect to such Processing they Process such Included Data as independent controllers, not joint controllers. The provisions of Article III below shall apply to such independent Processing of Included Data.

ARTICLE II – PROCESSING OF PROTECTED DATA

Rights & Obligations.

Customer shall, in its use of the Services, at all times Process Personal Data, and provide instructions for the Processing of Protected Data, in compliance with all Applicable Privacy Laws. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Protected Data, and that the Processing of Protected Data in accordance with such instructions will not cause Crunchbase to be in breach of any Applicable Privacy Law. Crunchbase shall immediately notify Customer if an instruction, in Crunchbase’s opinion, violates any Applicable Privacy Law; however, Customer is solely responsible for the accuracy, quality, and legality of (i) the Protected Data provided to Crunchbase by or on behalf of Customer, (ii) the means by which Customer acquired any such Protected Data, and (iii) the instructions it provides to Crunchbase regarding the Processing of such Protected Data. Customer shall not provide or make available to Crunchbase any Protected Data in violation of the Terms or otherwise inappropriate for the nature of the Services, and shall indemnify Crunchbase from all claims and losses in connection therewith. 

The subject matter, nature, purpose, and duration of Crunchbase’s Processing of Protected Data, as well as the types of Protected Data Processed and categories of Data Subjects, are described in Exhibit A to this Addendum. Crunchbase shall not Process Protected Data: (i) for purposes other than those set forth in the Terms and/or Exhibit A; (ii) in a manner inconsistent with the terms and conditions set forth in this Addendum or any other documented instructions provided by Customer, unless required to do so by a Supervisory Authority to which Crunchbase is subject; or (iii) in violation of Applicable Privacy Laws. Customer hereby instructs Crunchbase to Process Protected Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of the Services.

Following completion of the Services, at Customer’s choice, Crunchbase shall return or delete the Protected Data, unless further storage of Protected Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Crunchbase shall take reasonable measures to block such Protected Data from any further Processing. If applicable, the parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Model Clauses shall be provided by Crunchbase to Customer only upon Customer’s request.  

Authorized Employees and Sub-Processors.

Crunchbase shall take commercially reasonable steps to ensure the reliability and appropriate training of any employee authorized to access Protected Data in connection with this Addendum or the Terms (each, an “Authorized Employee”). Crunchbase shall ensure that all Authorized Employees are made aware of the confidential nature of Protected Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Crunchbase, any Protected Data except in accordance with their obligations in connection with the Services. 

Customer acknowledges and agrees that Crunchbase may (1) engage its affiliates and the sub-processors set forth on the list attached as Exhibit B and incorporated herein by this reference (the “List”), as such List may be updated from time to time in accordance with this Section (“Authorized Sub-Processors”) to access and Process Protected Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Protected Data. By way of this Addendum, Customer provides general written authorization to Crunchbase to engage sub-processors as necessary to perform the Services.

The List may be updated by Crunchbase from time to time.  At least ten (10) days before enabling any third party other than Authorized Sub-Processors to access or participate in the Processing of Personal Data, Crunchbase will add such third party to the List and provide Customer with notice of this addition. Customer may reasonably object to such an engagement on legitimate grounds by informing Crunchbase in writing within ten (10) days of receipt of the aforementioned notice by Customer. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Crunchbase from offering the Services to Customer. If Customer reasonably objects to an engagement in accordance with this paragraph, and Crunchbase cannot provide a commercially reasonable alternative within a reasonable period of time, Crunchbase may terminate this Addendum. Termination shall not relieve Customer of any fees owed to Crunchbase under the Terms. 

Crunchbase will enter into a written agreement with each Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Crunchbase under this Addendum with respect to the protection of Protected Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Crunchbase, Crunchbase will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations under such agreement.

The above authorizations will constitute Customer’s prior written consent to the subcontracting by Crunchbase of the processing of Protected Data if such consent is required under the Model Clauses, and the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Crunchbase to Customer pursuant to Clause 5(j) of the Model Clauses may have commercial information, or information unrelated to the Model Clauses or their equivalent, removed by Crunchbase beforehand, and that such copies will be provided by Crunchbase only upon request by Customer.

Security of Protected Data. 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Crunchbase shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Protected Data.

Transfers of Personal Data.

The parties agree that Crunchbase may transfer Protected Data outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland as necessary to provide the Services. If Crunchbase transfers Protected Data to a jurisdiction for which the European Commission has not issued an adequacy decision, Crunchbase will use reasonable efforts to ensure that appropriate safeguards have been implemented for the transfer of such Protected Data in accordance with Applicable Privacy Laws.

Where required, any transfer of Personal Data made subject to this Addendum to any countries which do not ensure an adequate level of data protection shall be undertaken by Crunchbase and Customer through either (a) for Protected Data, European Commission Decision C(2010) 593 Standard Contractual Clauses for Controllers to Processors (or a successor or replacement version thereof) or (b) for all other Personal Data, the European Commission Decision C(2004) 5271 Standard Contractual Clauses for Controllers to Controllers (or a successor or replacement version thereof) (as applicable, the “Model Clauses”), the terms of which are herein incorporated by reference or, if available, an alternative compliance mechanism authorized pursuant to Applicable Privacy Laws or subsequent guidance from EEA or United Kingdom regulators, as applicable. For purposes of such transfer, Crunchbase shall be deemed the “Data Importer” and Customer shall be deemed the “Data Exporter.” The optional clauses of the Model Clauses are expressly not included. Each party’s signature to this Addendum shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Model Clauses as separate documents.

Rights of Data Subjects.

Crunchbase shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making, in each case, with respect to Protected Data (such requests individually and collectively “Data Subject Request(s)”). If Crunchbase receives a Data Subject Request in relation to Protected Data, Crunchbase will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of Processing, or withdrawal of consent to Processing of any Protected Data are communicated to Crunchbase, and, if applicable, for ensuring that a record of consent to Processing is maintained with respect to each Data Subject.

Crunchbase shall, at the request of Customer, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Crunchbase’s assistance and (ii) Crunchbase is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Crunchbase.

Actions and Access Requests.

Crunchbase shall, taking into account the nature of the Processing and the information available to Crunchbase, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment relating to Crunchbase’s Processing of Protected Data and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Crunchbase.

Crunchbase shall, taking into account the nature of the Processing and the information available to Crunchbase, provide Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR in relation to Crunchbase’s Processing of Protected Data. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Crunchbase.

Crunchbase shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Terms. Customer shall, with reasonable notice to Crunchbase, have the right to review, audit and copy such records at Crunchbase’s offices during regular business hours.

Upon Customer’s request, Crunchbase shall, no more than once per calendar year, either (i) make available for Customer’s review copies of certifications or reports demonstrating Crunchbase’s compliance with prevailing data security standards applicable to the Processing of Protected Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Applicable Privacy Law, allow Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Crunchbase’s data security infrastructure and procedures that is sufficient to demonstrate Crunchbase’s compliance with its obligations under this Addendum, provided that Customer shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Crunchbase’s business. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Crunchbase for any time expended for on-site audits. If Customer and Crunchbase have entered into the Model Clauses, the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Model Clauses shall be carried out in accordance with this Section. 

In the event of a Personal Data Breach of Protected Data, Crunchbase shall (a) without undue delay, inform Customer of the Personal Data Breach and take reasonable steps to remediate such violation (to the extent that remediation is within Crunchbase’s reasonable control); and (b) taking into account the nature of the Processing and the information available to Crunchbase, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Privacy Law, including with respect to notifying any persons as required.

Law Enforcement Requests.

If a law enforcement or government agency sends Crunchbase a demand for Protected Data, Crunchbase shall attempt to redirect the agency to request that data directly from Customer. As part of this effort, Crunchbase may provide Customer’s basic contact information to the law enforcement or government agency. If compelled to disclose Protected Data to a law enforcement or government agency, then Crunchbase shall give Customer reasonable notice of the demand and cooperation to allow Customer to seek a protective order or other appropriate remedy unless Crunchbase is legally prohibited from doing so. Crunchbase shall not voluntarily disclose Protected Data to any law enforcement or government agency.

ARTICLE III – PROCESSING OF INCLUDED DATA

For purposes of the GDPR, the parties acknowledge that they are each a separate and independent Controller of any Included Data. The parties do not and will not Process Included Data as joint Controllers. Each party shall comply with the obligations that apply to it as a Controller under the GDPR, and each party shall be individually and separately responsible for its own compliance.

Customer shall Process Included Data only for the purposes set forth in the Terms or as otherwise agreed in writing by the parties, provided such processing strictly complies with all applicable privacy laws and Customer’s obligations under this Addendum. To the extent legally required, Customer shall maintain a publicly-accessible privacy policy on any applicable mobile applications and/or websites that satisfies all transparency and notice requirements set forth in any Applicable Privacy Law with respect to Customer’s Processing of Included Data. Notwithstanding anything to the contrary in the Terms, Customer shall immediately delete or destroy all Included Data in its possession upon the conclusion of Customer’s purpose for Processing such Included Data.

In the event that Customer receives a request from a Data Subject relating to the Processing of Personal Data by Crunchbase, Customer will (i) promptly notify Crunchbase of such request, (ii) direct the Data Subject to Crunchbase in order to enable Crunchbase to respond directly to the request, and (iii) reasonably cooperate with Crunchbase in responding to such request. Without limiting the foregoing, Customer agrees that it will promptly notify Crunchbase of any request pursuant to Article 16 (Right to rectification), Article 17 (Right to erasure), or Article 18 (Right to restriction of processing) of the GDPR that relates in any way to the Content.

Customer acknowledges that, from time to time, Included Data may be updated, modified, augmented, or removed from the Content. Customer shall regularly check such Content and ensure that it is using the most up-to-date version of the Included Data. Without limiting the foregoing, Customer agrees to promptly delete and, if applicable, cease all sales of, any Included Data for which Crunchbase notifies Customer (including by updating the Content) that Crunchbase has received a deletion, opt-out, or similar request, and will indemnify Crunchbase for any claims relating to Customer’s breach of the foregoing.

Each party shall implement appropriate technical and organisational measures to protect the Included Data. Customer is not required to certify to the EU-US and Swiss-US Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework (the “Privacy Shield Principles”); however, Customer shall use at least the same level of privacy protection as is required by the Privacy Shield Principles and shall promptly notify Crunchbase of any inability to provide such protection. 

In the event that Customer suffers any actual or suspected Personal Data Breach with respect to the Included Data, Customer shall notify Crunchbase without undue delay and the parties shall reasonably cooperate with each other in taking such measures as may be necessary to notify affected individuals, comply with each party’s obligations under Applicable Privacy Law, and mitigate or remedy the effects of such Personal Data Breach.

If and to the extent Customer transfers any Included Data to any third party, Customer shall first enter into contractual arrangements with such third party obligating such third party to process the Included Data in accordance with the requirements of Applicable Privacy Law and the Privacy Shield Principles. Customer shall comply with Applicable Privacy Law in connection with its transfer (including any sale) of Included Data to third parties.

EXHIBIT A

Details of Processing

Nature and Purpose of Processing: See Terms

Duration of Processing: Duration of Customer’s use of the Services

Categories of Data Subjects: Customer employees and Data Subjects included in User Submissions

Type of Personal Data: Personal identifiers, address and other Personal Data included in User Submissions

EXHIBIT B

Authorized Sub-Processors

Customer acknowledges and agrees that the following types of entities shall be deemed Authorized Sub-Processors that may Process Personal Data pursuant to this Addendum:

Fundamental infrastructure (including AWS, Snowflake, Google Tag Manager, Sendgrid, Split, Zuora)


Web analytics (including Google Analytics, Heap, FullStory)


Communication (including Marketo, Iterable, Slack, Zoom, Pendo, Gong, Outreach)


Support (including Drift, Zendesk, Aha, Airtable, Google Suites, JIRA)


Retargeting/Advertising (including Facebook Ads, Comscore, Google Ads)


Product Analytics (including Delighted, Periscope)


Account Management (including Salesforce)