1. Definitions.
For purposes of this Addendum:
1.1 “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, the California Privacy Rights Act amendments (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), and the United Kingdom Data Protection Act of 2018, as such laws may be amended from time to time. For the avoidance of doubt, if Crossbeam’s Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this Addendum.
1.2 “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
1.3 “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, which is included within Customer Data, and such terms shall have the same meaning as defined by applicable Data Protection Law.
1.4 “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.5 “Security Incident” means any confirmed unauthorized or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Crossbeam. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
1.6 “Subprocessor” means any third party authorized by Crossbeam or its affiliates to Process any Personal Data.
2. Scope.
2.1 This Addendum applies to the Personal Data that Crossbeam receives from Customer, or otherwise Processes on Customer’s behalf, in connection with the Service provided by Crossbeam to Customer pursuant to the Agreement, except that Annex A (EU Annex) to this Addendum applies only to such Processing of Personal Data governed by GDPR and the United Kingdom Data Protection Act of 2018 and Annex B (US Annex) to this Addendum applies only to such Processing of Personal Data governed by the relevant state privacy laws.
3. Purposes of Processing.
3.1 Subject Matter and Details of Processing. The Parties acknowledge and agree that (a) the subject matter of the Processing under the Agreement is Crossbeam’s provision of the Service; (b) the duration of the Processing is from Crossbeam’s receipt of Personal Data until deletion of all Personal Data by Crossbeam in accordance with the Agreement; (c) the nature and purpose of the Processing is to provide the Service; (d) the Data Subjects to whom the Processing pertains are Customer’s customers, end users or other individuals to whom Personal Data pertains; and (e) the categories of Personal Data are such categories as Customer is authorized to ingest into the Service under the Agreement.
3.2 Crossbeam will Process Personal Data: (1) to fulfill its obligations to Customer under the Agreement and this Addendum, including to share data provided by Customer with Partners (as defined in the Agreement) as instructed by Customer; (2) on Customer’s behalf; (3) in compliance with Data Protection Laws; and (4) to perform its legal obligations and to establish, exercise, or defend legal claims in respect of the Agreement.
3.3 If a Data Protection Law to which Crossbeam is subject requires Crossbeam to Process Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, Crossbeam will inform Customer of that legal requirement before Processing, unless that law prohibits Crossbeam from providing such information on important grounds of public interest within the meaning of the Data Protection Law.
3.4 Crossbeam will immediately inform Customer if, in Crossbeam’s opinion, an instruction from Customer infringes a Data Protection Law.
4. Personal Data Processing Requirements.
Crossbeam will:
4.1 Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws (such as rights to access or delete Personal Data), by notifying Crossbeam by email to privacy@crossbeam.com.
4.3 Promptly notify Customer by email of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws; or (iii) any government request for access to or information about Crossbeam’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws. If prohibited by law from disclosing the details of a government request to Customer, Crossbeam shall notify Customer that it can no longer process Personal Data in accordance with Customer’s instructions or pursuant to applicable law, without providing the details thereof, until applicable law permits it to provide such details.
4.4 Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws.
4.5 Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Crossbeam under Data Protection Laws to consult with a regulatory authority in relation to Crossbeam’s Processing or proposed Processing of Personal Data.
5. Security
5.1 Crossbeam shall implement and maintain technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with Crossbeam’s Security Policy which can be found here https://www.crossbeam.com/legal/security-policy/ (“Security Measures”). Crossbeam may update the Security Measures, provided, however, that such modifications shall not diminish the overall level of security.
5.2 Upon becoming aware of a confirmed Security Incident, Crossbeam shall notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Crossbeam’s legitimate needs to investigate or remediate the matter before providing notice shall not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Crossbeam recommends Customer take to address the Security Incident. Without prejudice to Crossbeam’s obligations under this Section 5, Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Security Incidents. Crossbeam’s notification of or response to a Security Incident under this Section 5 will not be construed as an acknowledgement by Crossbeam of any fault or liability with respect to the Security Incident.
6. Subprocessors.
6.1 Customer specifically authorizes Crossbeam to use its affiliates (including without limitation Reveal SAS) as Subprocessors, and generally authorizes Crossbeam to engage Subprocessors to Process Personal Data.
6.2 Crossbeam shall enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum; and
6.3 Crossbeam remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Crossbeam to breach any of its obligations under this Addendum.
6.4 A list of Crossbeam’s Subprocessors is available at https://www.crossbeam.com/subprocessors/ or such other website as Crossbeam may designate In addition, if the Customer is using the Reveal Nearbound Platform or related services, the applicable list of Subprocessors is available at https://www.reveal.co/legals/sub-processors (each a “Subprocessor Page”), and each Subprocessor Page may be updated by Crossbeam from time to time in accordance with this Addendum.
6.5 When any new subprocessor is engaged, Crossbeam will notify Customer of the engagement, which notice may be given by updating the Subprocessor Page. Crossbeam will give such notice at least ten (10) calendar days before the new Subprocessor Processes any Personal Data, except that if Crossbeam reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Personal Data or avoid material disruption to the Service, Crossbeam will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies Crossbeam in writing that Customer objects to Crossbeam’s appointment of a new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith and whether they can be resolved. If the Parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience.
7. Audits and Reviews of Compliance.
To the extent applicable Data Protection Laws include a right for Customer to audit Crossbeam’s Processing of Personal Data, Customer will exercise such audit right, and Crossbeam will fulfill its corresponding obligations, as follows:some text
7.1 Crossbeam shall make available to Customer relevant information regarding Crossbeam’s Processing of Personal Data under this Addendum in the form of Crossbeam’s most recent SOC 2 Type II certifications or similar audit reports (“Third Party Reports”).
7.2 Not more than once per calendar year and at Customer’s expense, Customer may audit Crossbeam’s Processing of Personal Data for compliance with its obligations under this Addendum by submitting reasonable requests for information, including security and audit questionnaires. Crossbeam will provide written responses to the extent the requested information is necessary to confirm Crossbeam’s compliance with this Addendum. However, if the requested information is addressed in a Third Party Report issued within the 12-month period prior to Customer’s request and Crossbeam confirms there have been no material changes in the interim relevant to Customer’s request, Customer agrees to accept such Third Party Report in lieu of a written response. Any information provided by Crossbeam under this Section 7 constitutes Crossbeam’s Confidential Information under the Agreement.
7.3 If a third party is to conduct an audit under this Section 7.3., Crossbeam may object to the auditor if the auditor is, in Crossbeam’s reasonable opinion, not independent, a competitor of Crossbeam or otherwise unqualified. Such objection by Crossbeam will require Customer to appoint another auditor.
7.4 Customer will promptly notify Crossbeam of any non-compliance discovered during the course of an audit and provide Crossbeam any audit reports generated in connection with any audit under this Section 7.2, unless prohibited by GDPR or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and confirming that Crossbeam’s Processing of Personal Data complies with this Addendum.
7.5 Customer shall reimburse Crossbeam for any time expended by Crossbeam or its Subprocessors in connection with any audits under this Section 7 at Crossbeam’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Crossbeam to furnish more information about Subprocessors in connection with such audits than such Subprocessors make generally available to their customers. Nothing in this Section 7 shall require Crossbeam to breach any duties of confidentiality.
8. Return or Destruction of Personal Data.
Except to the extent required otherwise by Data Protection Law, Crossbeam will within sixty (60) days after written request by Customer following the termination or expiration of the Agreement, return to Customer and/or securely destroy all Personal Data. Except to the extent prohibited by Addendum, Crossbeam will inform Customer if it is not able to return or delete the Personal Data.
9. General.
9.1 This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
9.2 Notwithstanding any provision to the contrary of the Agreement or this Addendum, Crossbeam may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate federal, state, or local law.
9.3 Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.
9.4 This Addendum will automatically terminate upon expiration or termination of the Agreement.
