Data Processing Addendum
Last Modified:
June 8, 2026

We’ve updated our Data Processing Addendum. Please review it carefully. These updated terms will not apply to existing Customers until their next subscription renewal. For those customers that have executed negotiated agreements with Crossbeam, the agreement will be amended to include these updated terms at the next renewal period.

Updated June 8 2026

Customer and Crossbeam agree as follows:

This Data Processing Addendum (“Addendum”) supplements the Master Cloud Agreement or other written or electronic terms of service or subscription agreement governing Customer’s use of the Services (the “Agreement”) between Customer and Crossbeam, Inc. or the Crossbeam affiliate indicated in the Agreement (collectively, “Crossbeam”). Customer and Crossbeam are each referred to herein as a “Party” and together as the “Parties.” This Addendum forms part of, and is incorporated into, the Agreement. In the event of any conflict between the Addendum and the Agreement with respect to Processing of Personal Data, the terms of this Addendum will control.  All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.

Customer and Crossbeam agree as follows:

  1. Definitions.
    For purposes of this Addendum:
    1. “Data Protection Laws” means all applicable laws, regulations, and other legal or governmental requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, as they may be amended or updated from time to time, including without limitation, to the extent applicable, the GDPR and the US Data Protection Laws.  For the avoidance of doubt, if Crossbeam’s Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this Addendum.
    2. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
    3. GDPR” means Regulation (EU) 2016/679 (the "EU GDPR"), and, where applicable, the United Kingdom General Data Protection Regulation (the "UK GDPR"), as defined in Section 3 of the United Kingdom’s Data Protection Act 2018, and the Swiss Federal Act on Data Protection of 25 September 2020 ("FADP") and the Swiss Data Protection Ordinance of 31 August 2022 (the "Ordinance", and together with the FADP, the “Swiss Data Protection Laws”).
    4. Personal Data” means any data or information that constitutes “personal data,” “personal information,” “personally identifiable information,” and a similar term under Data Protection Laws, to the extent such data or information is included within Customer Data.
    5. Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether by automated means or otherwise, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    6. Security Incident” means any confirmed unauthorized or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to, Personal Data Processed by Crossbeam. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other attacks on firewalls or networked systems.
    7. Subprocessor” means any third party authorized by Crossbeam or its affiliates to Process Personal Data on Crossbeam’s behalf.
    8. US Data Protection Laws” means all applicable federal and state laws, rules, regulations, and governmental requirements relating to privacy, data protection, and/or the Processing of Personal Data, in force from time to time, in the United States, including, without limitation: the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, the California Privacy Rights Act amendments (the “CCPA”), the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).
    9. The terms "controller", "processor", "business" and "service provider" have the meanings given to them in the applicable Data Protection Laws.
  2. Scope
    This Addendum applies to the Personal Data that Crossbeam receives from Customer, or otherwise Processes on Customer’s behalf, in connection with the Services provided by Crossbeam to Customer pursuant to the Agreement (“Covered Data”). Annex A (European Annex) to this Addendum applies solely to the Processing of Personal Data subject to the GDPR, and Annex B (US Annex) to this Addendum applies solely to the Processing of Personal Data subject to the US Data Protection Laws.
  3. Roles of the Parties
    The Parties acknowledge and agree that, with respect to the Processing of Covered Data under the Agreement and this Addendum, Crossbeam acts as a processor or service provider, as applicable, and Customer acts as a controller or business, as applicable.
  4. Purposes of Processing.
    1. Subject Matter and Details of Processing. The Parties acknowledge and agree that: (a) the subject matter of the Processing is Crossbeam’s provision of the Services under the Agreement; (b) the duration of the Processing is from Crossbeam’s receipt of Covered Data until deletion or return of all Covered Data by Crossbeam in accordance with the Agreement; (c) the nature and purpose of the Processing is to provide the Services; (d) the categories of Data Subjects to whom the Processing of Covered Data pertains are Customer’s customers, prospective customers, end users, employees, contractors, or other individuals whose Personal Data is included in Covered Data; and (e) the categories of Covered Data are such categories as Customer submits to be Processed through the Services under the Agreement, which in no event should include Prohibited Data. Additional details relating to Processing are further set out in Annex I of this Addendum.
    2. Crossbeam will Process Covered Data: (a) to provide the Services and perform its obligations under the Agreement and this Addendum, including to share data provided by Customer with Partners (as defined in the Agreement) as instructed by Customer, to analyze Customer’s sales activity data to provide deal intelligence through Pace (if Customer is using Pace), and to source and maintain ecosystem relationship data through Trace; (b) on Customer’s behalf; (c) in compliance with Data Protection Laws; and (d) to perform its legal obligations, to respond to legally valid subpoenas or law enforcement requests, to establish, exercise, or defend legal claims in respect of the Agreement, and as otherwise necessary to protect and defend against Security Incidents and fraudulent or other harmful activity.
    3. If a law or legal process or order to which Crossbeam is subject requires Crossbeam to Process Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, Crossbeam will inform Customer of that legal requirement before Processing, unless that law or order prohibits Crossbeam from providing such information.
    4. Crossbeam will immediately inform Customer if, in Crossbeam’s opinion, an instruction from Customer infringes a Data Protection Law.
  5. Personal Data Processing Requirements.
    Customer will:
    1. Comply with its obligations as a controller, business, or equivalent role under the Data Protection Laws, and shall:
      1. a) Provide any notice to, and obtain any consents, permissions, or other authorizations from, Data Subjects regarding the Processing of their Covered Data in connection with the Customer’s use of the Services as required under Data Protection Laws;
      2. b) Implement and maintain appropriate technical and organisational measures to enable Customer to comply with Data Subject rights requests under applicable Data Protection Laws, and respond to such requests from Data Subjects to exercise their rights under Data Protection Laws within the timeframe, and subject to any exemptions, prescribed in the Data Protection Laws; and
      3. c) Enter into any data sharing agreements or other contracts with all Partners required to permit Crossbeam’s sharing of Covered Data with each such Partner and to satisfy Customer’s obligations under Data Protection Laws; and
      4. d) Where Customer uses Pace to Process Personal Data relating to Customer’s employees or other Data Subjects: (i) ensure a valid lawful basis under applicable Data Protection Laws (including GDPR Art. 6 and, where special category data may be incidentally involved, GDPR Art. 9) for such Processing; (ii) provide appropriate notice to affected Data Subjects; and (iii) satisfy any applicable employee consultation, works council, or similar requirements under applicable Laws prior to enabling such Processing.

        Crossbeam will:
    2. Ensure that all persons it authorizes to Process the Covered Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    3. Taking into account the nature of the Processing, provide reasonable assistance to Customer in responding to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws (such as rights to access or delete Personal Data);
    4. Promptly notify Customer by email if Crossbeam receives: (a) any complaint from a Data Subject or regulatory authority relating to the Processing of Covered Data; (b) any requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws; or (c) any requests from a government authority for access to or information about Crossbeam’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws;
    5. Taking into account the nature of the Processing and the information available to Crossbeam, provide reasonable assistance and cooperation to Customer in conducting a data protection impact assessment of Processing or proposed Processing of Covered Data, when required by applicable Data Protection Laws; and
    6. Taking into account the nature of the Processing and the information available to Crossbeam, provide reasonable assistance and cooperation to Customer in connection with consultations with regulatory authorities in relation to the Processing or proposed Processing of Covered Data, when required by applicable Data Protection Laws, including complying with any obligation applicable to Crossbeam under Data Protection Laws to consult with a regulatory authority in relation to Crossbeam’s Processing or proposed Processing of Covered Data.
  6. Security.
    1. Security Measures. Crossbeam shall implement and maintain technical and organizational security measures designed to protect Covered Data from Security Incidents, taking into account the nature, scope, context, and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to Covered Data, in accordance with Crossbeam’s Security Policy, available at https://www.crossbeam.com/legal/security-policy/ (“Security Measures”). Crossbeam may update the Security Measures from time to time, provided, however, that such modifications shall not materially diminish the overall level of security of the Services.
    2. Security Incidents. Upon becoming aware of a confirmed Security Incident, Crossbeam shall notify Customer without undue delay, unless prohibited by applicable law. A delay in providing such notice requested by law enforcement and/or reasonably necessary for Crossbeam to investigate or remediate the matter shall not constitute an undue delay. Such notices will describe, to the extent reasonably available, details of the Security Incident, including steps taken to mitigate the potential risks and steps Crossbeam recommends Customer take to address the Security Incident. Without prejudice to Crossbeam’s obligations under this Section 6, Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. Crossbeam’s notification of, or response to, a Security Incident will not be construed as an acknowledgement by Crossbeam of any fault or liability with respect to the Security Incident.
  7. Subprocessors.
    1. Customer specifically authorizes Crossbeam to use its affiliates as Subprocessors, and generally authorizes Crossbeam to engage Subprocessors to Process Covered Data.
    2. Crossbeam shall enter into a written agreement with each Subprocessor, imposing data protection obligations that, in substance, are no less protective of Covered Data than those set out in this Addendum;
    3. Crossbeam remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Crossbeam to breach any of its obligations under this Addendum.
    4. A list of Crossbeam’s Subprocessors is available at https://www.crossbeam.com/legal/subprocessors or such other website as Crossbeam may designate (“Subprocessor Page”), and may be updated by Crossbeam from time to time in accordance with this Addendum.
    5. Crossbeam will provide notice of any new Subprocessor by updating the Subprocessor Page at least fourteen (14) days before the Subprocessor Processes any Personal Data, except where Crossbeam reasonably believes earlier engagement is reasonably necessary to protect the confidentiality, integrity, or availability of the Services or Personal Data, or to avoid material disruption to the Services. In such cases, Crossbeam will provide such notice as soon as reasonably practicable. If, within five (5) days after notice, Customer notifies Crossbeam in writing that Customer objects to Crossbeam’s appointment of a new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith and whether they can be resolved. If the Parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the portion of the Agreement relating to the Services affected by such change for convenience.
  8. Audits and Reviews of Compliance.
    To the extent applicable Data Protection Laws include a right for Customer to audit Crossbeam’s Processing of Covered Data, Customer will exercise such audit right, and Crossbeam will fulfill its corresponding obligations, as follows:
    1. Crossbeam shall make available to Customer relevant information regarding Crossbeam’s Processing of Covered Data under this Addendum in the form of Crossbeam’s most recent SOC 2 Type II certifications or similar audit reports (“Third-Party Reports”).
    2. Not more than once annually and at Customer’s expense, Customer may audit Crossbeam’s Processing of Covered Data for compliance with its obligations under this Addendum by submitting reasonable requests for information, including security and audit questionnaires. Crossbeam will provide written responses to the extent the requested information is necessary to demonstrate Crossbeam’s compliance with this Addendum. However, if the requested information is addressed in a Third-Party Report issued within the 12-month period prior to Customer’s request, and Crossbeam confirms there have been no material changes in the interim relevant to Customer’s request, Customer agrees to accept such Third-Party Report in lieu of a separate written response. Any information disclosed by Crossbeam under this Section 8 constitutes Crossbeam’s Confidential Information under the Agreement.
    3. If the information provided under Sections 8.1 and 8.2 is insufficient to demonstrate compliance with this Addendum, Customer may, not more than once annually and at Customer’s expense, conduct an audit of Crossbeam’s relevant Processing activities through an independent third-party auditor. Any such audits must: (a) be conducted upon reasonable prior written notice of at least thirty (30) days; (b) occur during Crossbeam’s normal business hours; (c) be conducted in a manner that does not materially disrupt Crossbeam’s business operations; and (d) be limited in scope to matters relevant to Crossbeam’s compliance with this Addendum. Crossbeam may object to the auditor if the auditor is, in Crossbeam’s reasonable opinion, not independent, a competitor of Crossbeam, or otherwise unqualified. Such objection by Crossbeam will require Customer to appoint another auditor. Crossbeam shall not be required to facilitate any such audit unless and until the Parties have agreed in writing the scope, timing, and duration of such audit.
    4. Customer will promptly notify Crossbeam of any non-compliance discovered during the course of an audit and provide Crossbeam any audit reports generated in connection with any audit under this Section 8, unless prohibited by GDPR or otherwise instructed by a supervisory authority. Customer may use the audit reports solely for the purposes of satisfying Customer’s regulatory audit requirements and confirming that Crossbeam’s Processing of Covered Data complies with this Addendum.
    5. Customer shall reimburse Crossbeam for its reasonable costs incurred in supporting any audits conducted under this Section 8, including time spent by Crossbeam personnel at Crossbeam’s then-current professional services rates, which shall be made available to Customer upon request. Customer will also be responsible for the fees and expenses charged by any auditor it engages. Nothing in this Addendum shall be construed to require Crossbeam to furnish more information about Subprocessors in connection with such audits than such Subprocessors make generally available to their customers. Nothing in this Section 8 shall require Crossbeam to disclose information that would compromise the security of the Services, violate applicable Law, breach obligations owed to third parties, or disclose confidential information of other customers or Subprocessors.
  9. Return or Destruction of Personal Data.
    Except to the extent required otherwise by Data Protection Law, Crossbeam will within sixty (60) days after written request by Customer following the termination or expiration of the Agreement, return to Customer and/or securely destroy all Personal Data. Except to the extent prohibited by applicable Data Protection Law, Crossbeam will inform Customer if it is not able to return or delete the Personal Data. Notwithstanding the foregoing, Crossbeam may retain Personal Data contained in routine backup systems until such data is deleted in the ordinary course, provided that such Personal Data remains subject to the confidentiality, security, and other applicable obligations set forth in the Agreement and this Addendum.
  10. General
    a) This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions set forth in the Agreement, except to the extent otherwise required by applicable Data Protection Laws.
    b) Nothing in this Addendum restricts Crossbeam from disclosing Covered Data to the extent required by law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate applicable Law.
    c) Any liability arising under or in connection with this Addendum will be subject to the limitations of liability set forth in the Agreement.
    d) This Addendum will automatically terminate upon expiration or termination of the Agreement.
  11. European Data Protection Clauses
    1. a) Definitions; Processing of Data.
      1. i. Definitions. For purposes of this Section 11, the terms “controller”, “processor” and “supervisory authority” have the meanings given to them under the GDPR; “Standard Contractual Clauses” or “SCCs” means the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as completed as set forth in Annex III to this Addendum; and “data importer” and “data exporter” have the meanings given to them in the Standard Contractual Clauses.
      2. ii. Regulatory Compliance. Each Party will comply with its respective obligations under the GDPR with respect to the Processing of Personal Data subject to GDPR.
      3. iii. International Data Transfers. To the extent Customer transfers Personal Data subject to the GDPR, UK GDPR, or Swiss Data Protection Laws to Crossbeam in a jurisdiction that does not provide an adequate level of protection under the applicable Data Protection Laws, the Standard Contractual Clauses as set out in this Addendum will apply and are incorporated into this Addendum by reference. Where applicable, such transfers may include Personal Data Processed through Pace, including communications data relating to Data Subjects located in the European Economic Area, the United Kingdom, or Switzerland.
      4. iv. Supplementary Measures. Upon Customer’s reasonable written request, Crossbeam will make available information regarding the technical and organizational measures implemented to protect Personal Data transferred pursuant to the Standard Contractual Clauses and will reasonably assist Customer in evaluating compliance with applicable international data transfer requirements under the GDPR, UK GDPR, and Swiss Data Protection Laws.
    2. b) Data Transfers.
      1. i. The Standard Contractual Clauses, as further set out in Annex III, shall apply to the transfer of any Covered Data from Customer to Crossbeam, and form part of this Addendum, to the extent that:
        1. 1. the EU GDPR, UK GDPR or Swiss Data Protection Laws applies to the Customer when making that transfer; or
        2. 2. the Data Protection Laws that apply to the Customer when making that transfer (the "Exporter Data Protection Laws") prohibit the transfer of Covered Data to Crossbeam under this Addendum in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
          1. a) the relevant authority with jurisdiction over the Customer’s transfer of Covered Data under this Addendum has not formally adopted standard data protection clauses or another approved transfer mechanism under the Exporter Data Protection Laws; or
          2. b) such authority has issued guidance that the European Commission’s SCCs satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
          3. c) established market practice in relation to transfers subject to the Exporter Data Protection Laws is to rely on the European Commission’s SCCs to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
          4. d) the transfer constitutes an "onward transfer" (as defined in the applicable module of the SCCs).
      2. ii. The Parties agree that execution of the Agreement constitutes execution of, and agreement to be bound by, the SCCs, including the applicable modules, appendices, and annexes incorporated therein.
  12. US Data Protection Clauses
    This Section 12 applies solely to the Processing of Covered Data subject to the US Data Protection Laws.
    1. Crossbeam will not: (a) “sell” or “share” Covered Data (as such terms in quotation marks are defined in applicable US Data Protection Law); (b) Process Covered Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable US Data Protection Law); or (c) otherwise Process Covered Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer.
    2. Crossbeam will not attempt to link, identify, or otherwise associate Personal Data with non-Personal Data or any other datasets without the express authorization of Customer.
    3. Crossbeam will not retain, use, or disclose Covered Data outside of the direct business relationship between Crossbeam and Customer.
    4. Crossbeam will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Customer’s express written permission.
    5. Crossbeam will not, except as otherwise instructed by Customer or permitted by Data Protection Laws, combine Covered Data with Personal Data that Crossbeam receives from or on behalf of another person or persons, or collects from its own interaction with a Data Subject.
    6. Notwithstanding anything in the Agreement or any order form entered in connection therewith, the Parties acknowledge and agree that Crossbeam’s access to Personal Data does not constitute consideration exchanged between the Parties in respect of the Agreement.
    7. Crossbeam certifies that it understands and will comply with its obligations under this Addendum, including under this Section 12.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]  

The data exporter is: each of the Customer and/or Customer affiliates operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or Customer and/or Customer Affiliates in any other country to the extent the GDPR applies.

  • Contact person’s name, position and contact details: Contact details set forth on the applicable Order Form or account registration
  • Activities relevant to the data transferred under these Clauses: Provision of the Services

Data importer(s):  [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

  • Name: Crossbeam, Inc.
  • Address: 30 S 15th St Ste 1550, PMB 15987, Philadelphia, Pennsylvania 19102-4826, United States
  • Contact person’s name, position and contact details: Amy Rose, General Counsel, legal@crossbeam.com
  • Activities relevant to the data transferred under these Clauses: the data importer Processes Personal Data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further described in section B of this Annex and in the Agreement.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • Customer business contacts and customer employees; Customer’s sales representatives and other employees whose activity data is Processed through Pace; individuals whose business relationship data is sourced through Trace

Categories of personal data transferred

  • Business contact information, IP addresses and log data; sales activity and communications data where Customer uses Pace (including names, email addresses, phone numbers, job titles, and records of sales interactions and call summaries); ecosystem relationship data where Customer uses Trace (including names and professional contact details of individuals identified through “is a customer of” relationship data)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • None intentionally. Where Customer uses Pace, sales communications content processed through Pace may incidentally contain special category data as defined under GDPR Art. 9(1). Customer is responsible for ensuring no special category data is intentionally submitted through any Service and for applying appropriate safeguards prior to submission. Safeguards applied by Crossbeam to any incidentally received special category data include: strict purpose limitation; access restricted to authorised personnel; and data minimisation upon detection.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Continuous

Purpose(s) of the data transfer and further processing; Nature of the processing

  • Personal Data is subject to the following basic Processing activities:
  • a) use of Personal Data to set up, operate, monitor, provide and support the Services (including operational and technical support), as further described in the Agreement;
  • b) communication to Users;
  • c) storage of Personal Data in dedicated data centers (multi-tenant architecture);
  • d) release, development and upload of any fixes or upgrades to the Services;
  • e) back up and restoration of Personal Data stored in the Services;
  • f) continuous improvement of Services features and functionalities provided as part of the Services including automation and machine learning, provided that Personal Data is not used to train or fine-tune artificial intelligence models;
  • g) computer processing of Personal Data, including data transmission, data retrieval, and data access;
  • h) aggregating and de-identifying Personal Data so that it no longer reasonably be used to identify any natural person, business, or Customer;
  • i) network access to allow Personal Data transfer;
  • j) monitoring, troubleshooting and administering the underlying Service infrastructure and databases;
  • k) security monitoring, network-based intrusion detection support, and penetration testing;
  • l) execution of instructions from Customer in accordance with the Agreement;

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • Personal Data will be retained for the term of the Agreement and thereafter in accordance with applicable Data Protection Laws.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Subprocessors shall Process Personal Data for purposes of assisting Crossbeam in providing the Services to Customer under the Agreement and shall continue to Process Personal Data for the term of the applicable Agreement governing provision of the Services or as otherwise required under applicable Data Protection laws.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

  • Same as Clause 13 of the SCCs, and where possible, the Irish Data Protection Authority.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES

Crossbeam’s Security Measures available at https://security.crossbeam.com describe Crossbeam’s technical and organizational measures designed to secure the Personal Data Crossbeam processes.

ANNEX III – STANDARD CONTRACTUAL CLAUSE PROVISIONS

  1. EU SCCS
    With respect to any transfers referred to in Section 11 of the Addendum, the Standard Contractual Clauses shall be completed as follows:
    1. Module One (controller to controller) of the SCCs will apply with respect to any Processing of Personal Data for which Crossbeam acts as an independent controller; otherwise, Module Two (controller to processor) of the SCCs will apply.
    2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
    3. Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in Section 7.5 of the Addendum.
    4. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
    5. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.
    6. In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.
    7. For the Purpose of Annex I of the Standard Contractual Clauses, Annex I of the Addendum contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
    8. For the Purpose of Annex II of the Standard Contractual Clauses, Annex II of the Addendum contains the technical and organisational measures.
  2. UK Addendum
    1. This Section 2 (UK Addendum) shall apply to any transfer of Covered Data from Customer (as data exporter) to Crossbeam (as data importer), to the extent that:
      1. a) the UK Data Protection Laws apply to Customer when making that transfer; or
      2. b) the transfer is an "onward transfer" as defined in the Approved Addendum.
    2. As used in this Section 2:
      Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
      UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
    3. The Approved Addendum will form part of this Addendum with respect to any transfers referred to in paragraph 2.1, and execution of this Addendum shall have the same effect as signing the Approved Addendum.
    4. The Approved Addendum shall be deemed completed as follows:
      1. a) the "Addendum EU SCCs" shall refer to the SCCs as they are incorporated into this Agreement in accordance with Clause 13 of the SCCs and this Annex III;
      2. b) Table 1 of the Approved Addendum shall be completed with the details in Section A of Annex I;
      3. c) the "Appendix Information" shall refer to the information set out in Annex I and Annex II
      4. d) for the purposes of Table 4 of the Approved Addendum, Crossbeam (as data importer) may end this Addendum, to the extent the Approved Addendum applies, in accordance with Section ‎19 of the Approved Addendum; and
      5. e) Section 16 of the Approved Addendum does not apply.
  3. Swiss Addendum
    1. This “Swiss Addendum” will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.
    2. Interpretation of this Addendum
      • a) Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
        "Clauses" means the Standard Contractual Clauses as incorporated into this Addendum in accordance with Clause 13 of the SCCs and as further specified in this Annex III; and
        "FDPIC" means the Federal Data Protection and Information Commissioner.
      • b) This Swiss Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties' obligations under Article 16(2)(d) of the FADP.
      • c) This Swiss Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
      • d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
      • e) In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
        1. i. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
        2. ii. as standard data protection clauses approved, issued or recognised by the FDPIC for the purposes of Article 16(2)(d) of the FADP.
    3. Hierarchy
      In the event of a conflict or inconsistency between this Swiss Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Swiss Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
    4. Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws
      To the extent that the data exporter's Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" (as defined in the Clauses, as amended by the remainder of this Section 3.4) the following amendments are made to the Clauses:
      1. a) References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
      2. b) Clause 6 Description of the transfer(s) is replaced with:
        The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Annex I of this Addendum where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."
      3. c) References to "Regulation (EU) 2016/679" or "that Regulation" or ""GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable.
      4. d) References to Regulation (EU) 2018/1725 are removed.
      5. e) References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
      6. f) Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the FDPIC;
      7. g) Clause 17 is replaced to state:
        "These Clauses are governed by the laws of Switzerland".
      8. h) Clause 18 is replaced to state:
        “Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."
    5. Supplementary provisions for transfers of Personal Data subject to both the GDPR and Swiss Data Protection Laws
      1. a) To the extent that the data exporter's Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" under both the Clauses and the Clauses as amended by Section 3.4 of this Annex III to the Addendum:
        1. i. for the purposes of Clause 13(a) and Part C of Annex I:
          1. A) the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter's Processing when making that transfer, or such transfer is an "onward transfer" as defined in the Clauses (as amended by Section 3.4 of this Addendum); and
          2. B) subject to the provisions of Section 2 of this Annex III (UK Addendum), the supervisory authority identified in Annex I shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter's processing, or such transfer is an "onward transfer" as defined in the Clauses
      2. b) the terms "European Union", "Union", "EU", and "EU Member State" shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.
  4. Transfers under the laws of other jurisdictions
    1. With respect to any transfers of Personal Data referred to in Clause 13.1(b) (each a "Global Transfer"), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.
    2. For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:
      1. a) for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter's Processing when making that transfer; and
      2. b) to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws.
    3. The amendments referred to in Section 4.2 include (without limitation) the following:
      1. a) references to the "GDPR" and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;
      2. b) reference to the "Union", "EU" and "EU Member State" are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the "Exporter Jurisdiction");
      3. c) the "competent supervisory authority" shall be the applicable supervisory authority in the Exporter Jurisdiction; and
      4. d) Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.
    4. Where required under the Exporter Data Protection Laws, the relevant data exporter shall file a copy of the agreement entered into with the relevant national authority.