BitSight Data Sharing Agreement

Last Updated: April 7, 2022

This data sharing agreement (the “Data Sharing Agreement”) is by and between BitSight Technologies, Inc. (“BitSight”) and the undersigned (the “Customer”) and is effective as of the effective date (the “Effective Date”) of that certain BitSight Main Terms and Conditions by and between the Parties (the “Subscription Agreement”). This Data Sharing Agreement forms part of, and is incorporated into, the Subscription Agreement.

A. Definitions. Capitalized terms not defined herein have the meaning given to them in the Subscription Agreement. The following definitions apply to this Data Sharing Agreement:

1. “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this Data Sharing Agreement, in each case as amended from time to time, including without limitation the European Data Protection Laws and Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados.
2. “BitSight Privacy Policy” means the privacy policy of BitSight available at https://www.bitsight.com/privacy-policy, or such other updated link provided by BitSight to Customer from time to time.
3. “BitSight Services” means the services and/or products to be provided by BitSight to Customer under the Subscription Agreement, including any required, usual, appropriate or acceptable methods to perform activities related to the BitSight Services, including (a) carrying out the BitSight Services or the business of which the BitSight Services are a part, (b) carrying out any benefits, rights and obligations related to the BitSight Services, (c) maintaining records relating to the BitSight Services, and (d) complying with any legal or self-regulatory obligations related to the BitSight Services.
4. “Controller”, “Personal Data Breach”, “Processing” and “Processor” each has the meaning given to it in Applicable Data Protection Laws.
5. "Data Subject” means a User.
6. “European Data Protection Laws” means the EU’s General Data Protection Regulation 2016/679 (the “EU GDPR”), the EU GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland and the UK Data Protection Act 2018 (the “UK GDPR”), and the Swiss Federal Act on Data Protection, and any other applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument implementing any of the foregoing (in each case as amended, consolidated, re-enacted or replaced from time to time).
7. “Personal Data” means Personal Data as defined by the Applicable Data Protection Laws, only to the extent such information relates to Users.
8. “Standard Contractual Clauses” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.

B. Parties’ Obligations

1. To the extent that the information disclosed by Customer to BitSight in connection with the performance of the BitSight Services contains Personal Data, the following provisions shall apply:
    
   1. Customer warrants that it has complied and continues to comply with the Applicable Data Protection Laws, in particular that is has obtained any necessary consents and/or provided any necessary notices, and otherwise has a legitimate ground to disclose the Personal Data to BitSight to enable BitSight to use and Process the Personal Data as contemplated by this Data Sharing Agreement and BitSight Privacy Policy.
       
   2. Customer shall protect, defend, indemnify and hold harmless BitSight and its directors, officers, employees, and representatives from and against any third-party claim (including claims by Data Subjects), demand, proceeding, action, liability, suit, expense, fine, penalty, damage, loss and cost (including without limitation legal and other professional advisers fees) (each a “Claim”) including a Claim brought by a supervisory authority or other regulator, relating to, arising out of or resulting from Customer’s failure to comply with Applicable Data Protection Laws in the collection, Processing and disclosure to BitSight of Personal Data or BitSight’s use of the Personal Data as envisaged by this Data Sharing Agreement.
       
   3. By using the BitSight Services and providing BitSight with Personal Data, Customer acknowledges that Customer’s information may be used as described in the Subscription Agreement and the BitSight Privacy Policy and Customer agrees to BitSight Processing Personal Data in the United States.

C. Cross-Border Transfers of Personal Data

1. With respect to the transfer of Personal Data from Customer to BitSight under the European Data Protection Laws, the Parties agree to comply with the general clauses and with “Module One” (Transfer Controller to Controller) of the Standard Contractual Clauses, which are incorporated herein by reference. In furtherance of the foregoing, the Parties agree that, for purposes of the Standard Contractual Clauses:
    
   1. Customer shall act and comply with the obligations as the "data exporter", and BitSight shall act and comply with the obligations as the "data importer";
       
   2. for the purposes of Clause 17 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be governed by the laws of Portugal;
       
   3. for the purposes of Clause 18(b) of the Standard Contractual Clauses, the Parties agree to submit to the jurisdiction of the courts of Portugal; and
       
   4. Annex I to the Standard Contractual Clauses shall be completed as follows:
       
      1. For the purposes of Section A (List of Parties) of Annex I, (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the European Union are those set forth in the Subscription Agreement, in an Order or as otherwise communicated by each Party to the other Party; (ii) Customer is a Controller, and BitSight is a Controller; (iii) the activities relevant to the data transferred under the Standard Contractual Clauses relate to the provision of the BitSight Services pursuant to the Subscription Agreement; and (iv) Customer’s entering into this Data Sharing Agreement shall be treated as Customer’s signature of Annex I, Section A;
          
      2. For the purposes of Section B (Description of Transfer) of Annex I, (i) categories of data subjects are Data Exporter’s employees and contractors and any other individuals that it provides with access to the products and services under the Subscription Agreement; (ii) categories of personal data transferred are Personal Data submitted, stored, sent by, or received from, Customer or Users, including names, user IDs, email addresses, IP addresses and other electronic or technical data submitted, stored or sent by Users; (iii) no sensitive data is transferred; (iv) the frequency of the transfer is continuous (for as long as Customer or Users use the BitSight Services); (v) the nature of the Processing include but is not limited to collection, storage, retrieval, use, disclosure, erasure, destruction and access to Personal Data. Processing will also include any Processing needed to provide the BitSight Services and as described in the BitSight Privacy Policy; (vi) the purpose(s) of the transfer and further processing is conducting the operations necessary for the provision of the BitSight Services pursuant to the Subscription Agreement, including but not limited to communications regarding the BitSight Services, setting up accounts and providing support and customer success activities, deriving statistical and performance information related to the operation of and provision of access to the BitSight Services, and using such information to improve the BitSight Services; (vii) Personal Data will be retained in accordance with BitSight’s data retention policies, which provide that Personal Data will be deleted when no longer needed or six months after account expiration (unless subject to a legal or other obligation for retention). BitSight may delete Personal Data by anonymizing it so it can no longer be associated with a Data Subject; (viii) in relation to the subject matter, nature and duration of transfers to (sub-)processors, the Parties acknowledge that the BitSight Services are hosted by Amazon Web Services and that BitSight uses third-party SaaS providers to support the provision of products and services as well as BitSight’s subsidiaries. A list of sub-processors and the nature of the Processing activities can be found at: https://www.bitsight.com/subprocessors.
          
      3. For the purposes of Section C (Competent Supervisory Authority) of Annex I, the competent supervisory authority identified in accordance with Clause 13 is the competent supervisory authority communicated by Customer to BitSight at BitSight’s contact details listed in this annex.
          
   5. The Parties agree that Section 4.3 (Limitation of Liability) of the Subscription Agreement shall not apply with respect to breaches of this Data Sharing Agreement or the subject matter hereof.
       
   6. The Parties have agreed on the technical and organizational measures set forth at www.bitsight.com/security for purposes of Annex II to the Standard Contractual Clauses. If BitSight receives requests to provide a public authority with Personal Data, pursuant to Clause 15 of the Standard Contractual Clauses, it will comply with applicable law.
       
2. With respect to the transfer of Personal Data from Customer to BitSight under other Applicable Data Protection Laws:
   1. the Parties agree to comply with Section C.1 above to the extent standard contractual clauses are required to meet legal obligations regarding cross-border transfers under the relevant Applicable Data Protection Laws. In such case, (i) references in the Standard Contractual Clauses to the GDPR shall hereby be deemed to have the same meaning as the equivalent reference in the Applicable Data Protection Laws; (ii) references in the Standard Contractual Clauses to “Member State” or “Union” shall hereby be deemed to refer to the relevant jurisdiction where the Applicable Data Protection Laws are in force; and (iii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter is established shall hereby be deemed to refer to an obligation under the Applicable Data Protection Laws.
       
   2. If required under UK data protection law, the parties hereby enter into and agree to be bound by the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner and as available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”). Part 1 of the UK Addendum will be deemed to be completed like its equivalent provisions in the Standard Contractual Clauses in Section 1 above. For the purpose of Table 4 of such Part 1, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is BitSight. For the purposes of any transfers covered by the UK data protection laws, the Standard Contractual Clauses will be deemed to be amended as set out in Part 2 of the UK Addendum. Any references to EU legislation, EU authorities and the EU Member States in the UK Standard Contractual Clauses are amended to reflect corresponding UK legislation, UK competent authorities as appropriate.

D. General

The terms and conditions included in this Data Sharing Agreement shall supersede and replace any and all prior data protection agreements or prior versions of the Standard Contractual Clauses or data privacy or data protection terms included in any other agreements between the Parties relating to the subject-matter covered by this Data Sharing Agreement.