BitSight Data Sharing Agreement

“Applicable Data Protection Laws” means i) the General Data Protection Regulation 2016/679 (the “GDPR”), the UK Data Protection Act 2018 (“UK DPA”) and the applied GDPR, and other any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument implementing the GDPR, the UK DPA and the applied GPDR (in each case as amended, consolidated, re-enacted or replaced from time to time) or ii) any other applicable data protection laws (e.g. Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados); and

“Personal Data” has the meaning given to it in the GDPR.

1. To the extent that the information disclosed by Customer to BitSight contains Personal Data, the following provisions shall apply:

  1. Customer warrants that it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents and/or provided any necessary notices, and otherwise has a legitimate ground to disclose the Personal Data to BitSight to enable BitSight to use and process the Personal Data as contemplated by this Agreement.
  3. Customer and its representatives shall indemnify and hold harmless BitSight against any claim (including claims under Article 82 GDPR), demand, proceeding, action, liability, suit, expense, fine, penalty, damage, loss and cost (including without limitation legal and other professional advisers fees) (each a “Claim”) including a Claim brought by a supervisory authority or other regulator to the extent arising out of or in connection with Customer’s failure to comply with Applicable Data Protection Laws in the collection, processing and disclosure to BitSight of Personal Data or BitSight’s use of the Personal Data as envisaged by this Agreement.
  5. The Parties agree that BitSight will act as an independent data controller of the information and therefore provisions of the standard contractual clauses for the transfer of Personal Data to controllers established in third countries set out in the European Commission Decision 2004/915/EC, as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016 as amended, supplemented, updated or replaced form time to time shall apply and are incorporated herein by reference, and (i) Customer shall act and comply with the obligations as the "data exporter"; (ii) BitSight shall act and comply with the obligations as the "data importer" including the data processing principles set forth in Annex A; and (iii) the description of transfer, the categories of data subjects, the categories of Personal Data and the recipients in Annex B shall be such activities as described in BitSight’s privacy policy (, and the contact points shall be those listed in Section 7.1 of the Agreement.
  7. In any event, by using the BitSight Services provided by BitSight, Customer acknowledges that Customer’s information including Customer Personal Data is required under the Agreement with Customer and will be used as described in our privacy policy ( and Customer agrees to BitSight processing Personal Data in the United States.

Experience the BitSight Security Ratings Platform

Learn how you can simplify your risk management and take charge of your cybersecurity with these intuitive and powerful solutions.

Get Your Rating