BitSight Data Sharing Agreement

Last Updated: March 16, 2023

This data sharing agreement (the “Data Sharing Agreement”) is by and between BitSight Technologies, Inc. (“BitSight”) and you as a customer receiving the BitSight Services (the “Customer”) and is effective as of the effective date (the “Effective Date”) of that certain BitSight Main Terms and Conditions by and between the Parties (the “Subscription Agreement”). This Data Sharing Agreement forms part of, and is incorporated into, the Subscription Agreement.

A. Definitions. Capitalized terms not defined herein have the meaning given to them in the Subscription Agreement. The following definitions apply to this Data Sharing Agreement:

1. “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this Data Sharing Agreement, in each case as amended from time to time, including without limitation the European Data Protection Laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, “CCPA”), and Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados.


2. “BitSight Privacy Policy” means the privacy policy of BitSight available at https://www.bitsight.com/privacy-policy, or such other updated link provided by BitSight to Customer from time to time.


3. “BitSight Services” means the services and/or products to be provided by BitSight to Customer under the Subscription Agreement, including any required, usual, appropriate or acceptable methods to perform activities related to the BitSight Services, including (a) carrying out the BitSight Services or the business of which the BitSight Services are a part, (b) carrying out any benefits, rights and obligations related to the BitSight Services, (c) maintaining records relating to the BitSight Services, and (d) complying with any legal or self-regulatory obligations related to the BitSight Services.


4. “Controller”, “Personal Data Breach”, “Processing” and “Processor” each has the meaning given to it in Applicable Data Protection Laws.


5. "Data Subject” means a User or invited vendor access recipient pursuant to an “Enable Vendor Access” request or other similar product functionality.


6. “European Data Protection Laws” means the EU’s General Data Protection Regulation 2016/679 (the “EU GDPR”), the EU GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland and the UK Data Protection Act 2018 (the “UK GDPR”), and the Swiss Federal Act on Data Protection, and any other applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument implementing any of the foregoing (in each case as amended, consolidated, re-enacted or replaced from time to time).


7. “Personal Data” means Personal Data as defined by the Applicable Data Protection Laws, only to the extent such information relates to or is provided by Users pursuant to the BitSight Services.


8. “Standard Contractual Clauses” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.

B. Parties’ Obligations

1. To the extent that the information disclosed by Customer to BitSight in connection with the performance of the BitSight Services contains Personal Data, the following provisions shall apply:
    
   1. Customer warrants that it has complied and continues to comply with the Applicable Data Protection Laws, in particular that is has obtained any necessary consents and/or provided any necessary notices, and otherwise has a legitimate ground to disclose the Personal Data to BitSight to enable BitSight to use and Process the Personal Data as contemplated by this Data Sharing Agreement and BitSight Privacy Policy.
       
   2. Customer shall protect, defend, indemnify and hold harmless BitSight and its directors, officers, employees, and representatives from and against any third-party claim (including claims by Data Subjects), demand, proceeding, action, liability, suit, expense, fine, penalty, damage, loss and cost (including without limitation legal and other professional advisers fees) (each a “Claim”) including a Claim brought by a supervisory authority or other regulator, relating to, arising out of or resulting from Customer’s failure to comply with Applicable Data Protection Laws in the collection, Processing and disclosure to BitSight of Personal Data or BitSight’s use of the Personal Data as envisaged by this Data Sharing Agreement.
       
   3. By using the BitSight Services and providing BitSight with Personal Data, Customer acknowledges that Customer’s information may be used as described in the Subscription Agreement and the BitSight Privacy Policy and Customer agrees to BitSight Processing Personal Data in the United States.

C. CCPA

In some instances, pursuant to the Subscription Agreement, BitSight will act as a Business under the CCPA, and in others, BitSight will act as a Service Provider under the CCPA. Where BitSight acts as a Service Provider, BitSight shall not (a) retain, use, or disclose Personal Data (i) for any purpose other than for the specific purpose of providing the services specified in the Agreement, including for a commercial purpose other than providing the services specified in the Agreement; (ii) outside of the direct business relationship between BitSight and Customer; or (iii) combine the Personal Data received from Customer with Personal Data that BitSight receives from, or on behalf of, another person or company, except as permitted under Applicable Data Protection Laws (iv) or as otherwise prohibited by the CCPA; or (b) sell Personal Data. The Personal Data that Customer disclosed to BitSight is provided to BitSight for a Business Purpose, BitSight shall not Sell or Share the Personal Data, as those terms are defined in the CCPA and the transfer of the Personal Data to BitSight shall not be considered a “sale” as defined in the CCPA.

D. Cross-Border Transfers of Personal Data

1. With respect to the transfer of Personal Data from Customer to BitSight under the European Data Protection Laws, the Parties agree to comply with the general clauses and with “Module One” (Transfer Controller to Controller) of the Standard Contractual Clauses, which are incorporated herein by reference.
    
   1. when Customer and BitSight are both acting as a controller, “Module One” (Transfer Controller to Controller) of the Standard Contractual Clauses, which are incorporated herein by reference;
       
   2. when Customer is acting as a controller and BitSight as a processor, “Module Two” (Transfer Controller to Processor) of the Standard Contractual Clauses, which are incorporated herein by reference;
       
   3. when Customer and BitSight are both acting as a processor, “Module Three” (Transfer Processor to Processor) of the Standard Contractual Clauses, which are incorporated herein by reference; or
       
   4. when BitSight is acting as a controller and Customer as a processor, “Module Four” (Transfer Processor to Controller) of the Standard Contractual Clauses, which are incorporated herein by reference.
       


2. In furtherance of the foregoing, the Parties agree that, for purposes of the Standard Contractual Clauses:
    
   1. Customer shall act and comply with the obligations as the "data exporter", and BitSight shall act and comply with the obligations as the "data importer";
       
   2. Clause 7 of the Standard Contractual Clauses shall apply;
       
   3. for the purposes of Modules Two (Transfer Controller to Processor), Three (Transfer Processor to Processor) and Four (Transfer Processor to Controller) of the Standard Contractual Clauses, Option 2 in Clause 9(a) shall apply and the relevant time period shall be 72 hours;
       
   4. the optional wording in Clause 11(a) of the Standard Contractual Clauses shall not apply;
       
   5. for the purposes of Clause 17 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be governed by the laws of Portugal;
       
   6. for the purposes of Clause 18(b) of the Standard Contractual Clauses, the Parties agree to submit to the jurisdiction of the courts of Portugal; and
       
   7. Annex I to the Standard Contractual Clauses shall be completed as follows:
       
      1. For the purposes of Section A (List of Parties) of Annex I, (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the European Union are those set forth in the Subscription Agreement, in an Order or as otherwise communicated by each Party to the other Party; (ii) where Module One applies, Customer is a Controller, and BitSight is a Controller, where Module Two applies, Customer is a Controller, and BitSight is a Processor, where Module Three applies, Customer is a Processor, and BitSight is a Processor; and where Module Four applies, Customer is a Processor and BitSight is a Controller; (iii) the activities relevant to the data transferred under the Standard Contractual Clauses relate to the provision of the BitSight Services pursuant to the Subscription Agreement; and (iv) Customer’s entering into this Data Sharing Agreement shall be treated as Customer’s signature of Annex I, Section A;
          
      2. For the purposes of Section B (Description of Transfer) of Annex I, (i) categories of data subjects may include Data Exporter’s vendors, employees and contractors and any other individuals that it provides with access to the products and services under the Subscription Agreement; (ii) categories of personal data transferred are Personal Data submitted, stored, sent by, or received from, Customer or Users, including names, user IDs, email addresses, IP addresses and other electronic or technical data submitted, stored or sent by Users; (iii) no sensitive data is transferred; (iv) the frequency of the transfer is continuous (for as long as Customer or Users use the BitSight Services); (v) the nature of the Processing include but is not limited to collection, storage, retrieval, use, disclosure, erasure, destruction and access to Personal Data. Processing will also include any Processing needed to provide the BitSight Services and as described in the BitSight Privacy Policy; (vi) the purpose(s) of the transfer and further processing is conducting the operations necessary for the provision of the BitSight Services pursuant to the Subscription Agreement, including but not limited to communications regarding the BitSight Services, setting up accounts and providing support and customer success activities, deriving statistical and performance information related to the operation of and provision of access to the BitSight Services, and using such information to improve the BitSight Services; (vii) Personal Data will be retained in accordance with BitSight’s data retention policies. BitSight may delete Personal Data by anonymizing it so it can no longer be associated with a Data Subject; (viii) in relation to the subject matter, nature and duration of transfers to (sub-)processors, the Parties acknowledge that the BitSight Services are hosted by Amazon Web Services and that BitSight uses third-party SaaS providers to support the provision of products and services as well as BitSight’s subsidiaries. A list of sub-processors and the nature of the Processing activities can be found at: https://www.bitsight.com/subprocessors. Customer may subscribe to receive a notification when BitSight adds a new sub-processor to that website by adding their name and email address to the form found at the bottom of the webpage.
          
      3. For the purposes of Section C (Competent Supervisory Authority) of Annex I, the competent supervisory authority identified in accordance with Clause 13 is the competent supervisory authority communicated by Customer to BitSight at [email protected]
          
3. The Parties agree that Section 4.3 (Limitation of Liability) of the Subscription Agreement shall not apply with respect to breaches of this Data Sharing Agreement or the subject matter hereof.
    
4. The Parties have agreed on the technical and organizational measures set forth at www.bitsight.com/security for purposes of Annex II to the Standard Contractual Clauses. If BitSight receives requests to provide a public authority with Personal Data, pursuant to Clause 15 of the Standard Contractual Clauses, it will comply with applicable law.

• Module Two and Module Three: Use of Sub-processors.
  Where BitSight is a Processor under Module Two or Module Three of the Standard Contractual Clauses, with respect to Clause 9(a) of the Standard Contractual Clauses, Customer grants BitSight general authorization for the engagement of sub-processor(s) from an agreed list, which is currently located at www.bitsight.com/subprocessors (the “Sub-Processor List Site”). BitSight shall inform Customer of any intended changes to that list at least fourteen (14) days in advance by updating the list of sub-processors on such site (which shall be deemed to be equivalent of written notice), thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). In the event that Customer reasonably objects to the use of a new sub-processor during the aforementioned time period and Customer and BitSight cannot reach an agreement as to the use of the same, Customer’s sole remedy shall be termination of the portion of the BitSight Services for which the sub-processor is engaged without refund.


• With respect to the transfer of Personal Data from Customer to BitSight under other Applicable Data Protection Laws:
  1. The Parties agree to comply with the requirements above to the extent standard contractual clauses are required to meet legal obligations regarding cross-border transfers under the relevant Applicable Data Protection Laws. In such case, (i) references in the Standard Contractual Clauses to the GDPR shall hereby be deemed to have the same meaning as the equivalent reference in the Applicable Data Protection Laws; (ii) references in the Standard Contractual Clauses to “Member State” or “Union” shall hereby be deemed to refer to the relevant jurisdiction where the Applicable Data Protection Laws are in force; and (iii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter is established shall hereby be deemed to refer to an obligation under the Applicable Data Protection Laws.
      
  2. If required under UK GDPR, the parties hereby enter into and agree to be bound by the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner and as available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”). Part 1 of the UK Addendum will be deemed to be completed like its equivalent provisions in the Standard Contractual Clauses in Section D above. For the purpose of Table 4 of such Part 1, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is BitSight. For the purposes of any transfers covered by the UK data protection laws, the Standard Contractual Clauses will be deemed to be amended as set out in Part 2 of the UK Addendum. Any references to EU legislation, EU authorities and the EU Member States in the UK Standard Contractual Clauses are amended to reflect corresponding UK legislation, UK competent authorities as appropriate. The optional clauses in the UK Addendum shall not apply. Where processing contractual provisions are required under the UK GDPR, the parties rely on the Standard Contractual Clauses as supplemented by the UK Addendum for such matters as permitted by Article 28(7) UK GDPR.

E. General

The terms and conditions included in this Data Sharing Agreement shall supersede and replace any and all prior data protection agreements or prior versions of the Standard Contractual Clauses or data privacy or data protection terms included in any other agreements between the Parties relating to the subject-matter covered by this Data Sharing Agreement. BitSight may modify this Data Sharing Agreement as required for purposes of complying with Applicable Data Protection Laws including in connection with (a) changes in corporate structure, and (b) the release of new features, functions, products or services or changes to any of the existing Services.