Independent Controller Data Processing Addendum

You or the entity you represent (“Customer”) are entering (or have entered) into an agreement with Crunchbase, Inc. (“Crunchbase” and together with Customer, the “Parties,” each, a “Party”) for the provision of certain Crunchbase data and materials (the “Data License”). The Parties agree that the Crunchbase Materials (as defined in the Data License) may include certain personal information such as names, employment or educational history, social media identifiers, and other information. This Data Processing Addendum (“Addendum”) shall apply to all personal information, personal data, and other personal identifiers that may be included in the Crunchbase Materials, however defined by applicable law (“Personal Data”). All terms used but not defined in this Addendum shall have the meanings set forth in (a) the Data License, or (b) applicable privacy law(s).

I. Certain Definitions

“Applicable Privacy Law” means the CCPA, GDPR, and any other data protection, privacy, data breach, or similar or related laws applicable to a party’s use or other processing of Personal Data.

“CCPA” means the California Consumer Privacy Act of 2018, as amended.

“GDPR” means EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016.

“Included Data” means any Personal Data included in the Crunchbase Materials.

II. Obligations

For purposes of the GDPR, the Parties acknowledge that they are each a separate and independent controller of any Included Data. The Parties do not and will not process Included Data as joint controllers. Each Party shall comply with the obligations that apply to it as a controller under the GDPR, and each Party shall be individually and separately responsible for its own compliance.

Customer shall process Included Data only for the purposes set forth in the Data License or as otherwise agreed in writing by the Parties, provided such processing strictly complies with all applicable privacy laws and Customer’s obligations under this Addendum. Customer shall maintain a publicly-accessible privacy policy on its mobile applications and websites that satisfies all applicable transparency and notice requirements set forth in any Applicable Privacy Law with respect to Customer’s processing of Included Data. Notwithstanding anything to the contrary in the Data License, Customer shall immediately delete or destroy all Included Data in its possession upon the expiration or earlier termination of the Data License or, if sooner, upon the conclusion of Customer’s purpose for processing such Included Data.

In the event that Customer receives a request from an individual relating to the processing of such individual’s data by Crunchbase, Customer will (i) promptly notify Crunchbase of such request, (ii) direct the individual to Crunchbase in order to enable Crunchbase to respond directly to the request, and (iii) reasonably cooperate with Crunchbase in responding to such request. Without limiting the foregoing, Customer agrees that it will promptly (and in any event within five (5) business days) notify Crunchbase of any request pursuant to Article 16 (Right to rectification), Article 17 (Right to erasure), or Article 18 (Right to restriction of processing) of the GDPR that relates in any way to the Crunchbase Materials.

Customer acknowledges that, from time to time, Included Data may be updated, modified, augmented, or removed from the Crunchbase Materials. Crunchbase shall provide a delete API to Customer reflecting any such changes to the Included Data and Customer shall regularly check such delete API and ensure that it is using the most up-to-date version of the Included Data. Without limiting the foregoing, Customer agrees to promptly delete and, if applicable, cease all sales of, any Included Data for which Crunchbase notifies Customer (including by updating the delete API) that Crunchbase has received a deletion or opt-out request, and will indemnify Crunchbase for any claims relating to Customer’s breach of the foregoing.

Each Party shall implement appropriate technical and organisational measures to protect the
Included Data. At a minimum, Customer shall use at least the same level of privacy protection as is required by the EU-US and Swiss-US Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework (the “Privacy Shield Principles”), and shall promptly notify Crunchbase of any inability to provide such protection. Every transfer of Included Data by Customer from the European Economic Area or Switzerland to the United States shall be made pursuant to the Privacy Shield Principles, and Customer shall certify to and comply with the Privacy Shield Principles for the duration of the Agreement.

In the event that Customer suffers any actual or suspected data breach (including any unauthorized access or use) with respect to the Included Data, Customer shall notify Crunchbase without undue delay and the Parties shall reasonably cooperate with each other in taking such measures as may be necessary to notify affected individuals, comply with each Party’s obligations under Applicable Privacy Law, and mitigate or remedy the effects of such data breach.

If and to the extent Customer transfers any Included Data to any third party, Customer shall first enter into contractual arrangements with such third party obligating such third party to process the Included Data in accordance with the requirements of Applicable Privacy Law. Customer shall comply with Applicable Privacy Law in connection with its transfer (including any sale) of Included Data to third parties.