Data Processing Addendum
Last updated: April 1, 2025
This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses ("DPA"), forms an integral part of the Elicit Master Services Agreement ("MSA"), or any other written agreement that governs Customer's use of the Elicit Services (as defined below) entered into between the entity identified as the "Customer" in such Agreement ("Customer") and Elicit Research, PBC ("Elicit") (the "Agreement"), and applies solely to the extent that Elicit processes any Customer Personal Data (defined below) in connection with the Elicit Services. Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term "Customer" shall include Customer and its Authorized Affiliates.
1. DEFINITIONS
1.1. "Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA.
1.2. "Authorized Affiliate" means a Customer Affiliate who is authorized to use the Elicit Services under the Agreement and who has not signed their own separate "Agreement" with Elicit.
1.3. "CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.), as may be amended, superseded or replaced from time to time.
1.4. "Customer Content" means, if not defined within the Agreement, all data processed by Elicit on your behalf in the course of providing the Elicit Services.
1.5. "Customer Personal Data" means any 'personal data' or 'personal information' contained within Customer Content.
1.6. "Elicit Services" means the Platform Services (as defined in the Agreement) and/or any other services provided directly by Elicit to the Customer under the Agreement.
1.7. "European Data Protection Laws" means (a) Regulation 2016/679 (General Data Protection Regulation) ("EU GDPR"); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss Data Protection Act"); in each case as may be amended, superseded or replaced from time to time.
1.8. "Restricted Transfer" means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
1.9. "Security Addendum" means all additional controls and documents that support the protection of data, which can be found at https://trust.elicit.com/.
1.10. "Security Breach" means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
1.11. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
1.12. "Subprocessor" means any other processor engaged by Elicit to process Customer Personal Data.
1.13. "UK Addendum" means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
1.14. The terms "controller", "data subject", "supervisory authority", "processor", "process", "processing", "personal data", and "personal information" shall have the meanings given to them in Applicable Data Protection Laws. The term "controller" includes "business", the term "data subject" includes "consumers", and the term "processor" includes "service provider" (in each case, as defined by the CCPA).
2. PROCESSING OF PERSONAL DATA
2.1. Scope and Roles of the Parties
This DPA applies when Customer Personal Data is processed by Elicit as a processor in its provision of the Elicit Services to Customer, who will act as either a controller or processor, as applicable, of Customer Personal Data.
2.2. Customer Processing
Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to Elicit, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Laws for Elicit to process Customer Personal Data and provide the Elicit Services pursuant to the Agreement (including this DPA).
2.3. Elicit Processing
Elicit agrees that (a) when Elicit processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Elicit will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customer's documented instructions (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer's Authorized Users through the Elicit Services). Elicit is not responsible for determining if Customer's processing instructions are compliant with applicable law. However, Elicit shall notify Customer in writing if, in its reasonable opinion, the Customer's processing instructions infringe Applicable Data Protection Laws and provided that Customer acknowledges that Customer Personal Data may be processed on an automated basis in accordance with Customers' use of the Elicit Services, which Elicit does not monitor.
2.4. Details of Processing
The details of the processing of Customer Personal Data by Elicit are set out in Annex A to the DPA.
3. CONFIDENTIALITY
3.1. Personnel
Elicit shall ensure that any employees or personnel it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.
4. SUBPROCESSING
4.1. Authorization
Customer provides a general authorization to Elicit use of Subprocessors to process Customer Personal Data in accordance with this Section, including those Subprocessors listed at https://trust.elicit.com/subprocessors ("Subprocessor List").
4.2. Subprocessor Obligations
Elicit shall (i) enter into a written agreement with its Subprocessors, which includes data protection and security measures no less protective than the measures set forth in this DPA; and (ii) remain fully liable for any breach of the Agreement and this DPA that is caused by an act, error or omission of its Subprocessors to the extent that Elicit would have been liable for such act, error or omission had it been caused by Elicit.
4.3. Subprocessor Changes
We will notify you of subprocessor changes via updates to our publicly available Subprocessor List, available at https://trust.elicit.com/subprocessors, and you may subscribe, at https://trust.elicit.com/updates, to receive email updates when the Subprocessor List is updated.
5. ASSISTANCE
5.1. Data Subject Requests
Customer is responsible for responding to and complying with data subject requests ("DSR"). The Elicit Services include controls that Customer may use to assist it to respond to DSR. If Customer is unable to access or delete any Customer Personal Data using such controls, Elicit shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to the DSR. If a data subject sends a DSR to Elicit directly and where Customer is identified or identifiable from the request, Elicit will promptly forward such DSR to Customer and Elicit shall not, unless legally compelled to do so, respond directly to the data subject except to refer them to the Customer to allow Customer to respond as appropriate.
5.2. Data Protection Impact Assessments
Elicit will provide reasonably requested information regarding the Elicit Services to Customer to carry out data protection impact assessments relating to the processing of Customer Personal Data and any related required consultation with supervisory authorities as required by Applicable Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
5.3. Legal Requests
If Elicit receives a subpoena, court order, warrant or other legal demand from law enforcement or any public or judicial authority seeking the disclosure of Customer Personal Data, Elicit will attempt to redirect the governmental body to request such Customer Personal Data directly from Customer. As part of this effort, Elicit may provide Customer's basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, Elicit will give Customer reasonable notice of the legal demand to allow Customer to seek a protective order or other appropriate remedy, unless Elicit is legally prohibited from doing so.
6. SECURITY
6.1. Security Measures
Elicit has implemented and will maintain appropriate technical and organizational security measures as set forth in the Security Addendum ("Security Measures"). The Security Measures are subject to technical progress and development and Elicit may update the Security Measures, provided that any updates shall not materially diminish the overall security of Customer Personal Data or the Elicit Services. Elicit may make available certain security controls within the Elicit Services that Customer may use in accordance with the Documentation.
6.2. Security Breach Notification
In the event of a Security Breach, Elicit will (a) notify Customer in writing without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects resulting from the Security Breach.
ANNEX A
DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
Subject matter and duration of the processing of Customer Personal Data by Elicit | Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer Personal Data will be processed by Elicit to the extent necessary to provide the Elicit Services to Customer in accordance with the Agreement. The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which Elicit processes Customer Personal Data. |
|---|---|
Nature and purpose of the processing of Customer Personal Data by Elicit | Elicit will process Customer Personal Data as necessary to provide the Elicit Services pursuant to the Agreement, including to: (a) provide, maintain, update and support the Elicit Services; (b) process data and provide Customer with insights and analysis; (c) communicate with Customer about the Elicit Services; (d) provide customer support; (e) maintain the security and integrity of the Elicit Services; and (f) comply with applicable legal obligations. |
Type of Customer Personal Data to be processed by Elicit | Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer Personal Data may include, but is not limited to: (a) identification data (such as name, email address, phone number); (b) professional data (such as job title, company, industry); (c) usage data (such as information about how Customer uses the Elicit Services); (d) technical data (such as IP addresses, device information, browser type); and (e) any other personal data contained in Customer Content processed in the course of the Services. |
Categories of data subjects to whom the Customer Personal Data relates | Data subjects may include Customer's employees, contractors, agents, and end users, as well as any individuals whose personal data is contained in Customer Content processed in the course of the Services. |
Sensitive data transferred (if appropriate) | Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer may include special categories of personal data or similarly sensitive personal data (as described or defined in Applicable Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person's sex life or sexual orientation. |
Frequency of the Transfer | Continuous or one-off depending on the services being provided by Elicit. |
Nature, subject matter and duration of the processing: | Nature: Elicit is building an AI-powered research assistant, as further described in the Agreement. Subject Matter: Customer Personal Data. Duration: The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which Elicit processes Customer Personal Data. |
Purpose(s) of the data transfer and further processing: | Elicit shall process Customer Personal Data for the following purposes: (a) as necessary for the performance of the Elicit Services and Elicit's obligations under the Agreement (including the DPA), including processing initiated by Authorized Users in their use and configuration of the Elicit Services; and (b) further documented, reasonable instructions from Customer agreed upon by the parties (the "Purposes"). |
Period for which the personal data will be retained: | Elicit will retain Customer Personal Data for the term of the Agreement and any period after the termination of expiry of the Agreement during which Elicit processes Customer Personal Data in accordance with the Agreement. |
ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY
Competent supervisory authority | The data exporter's competent supervisory authority will be determined in accordance with the EU GDPR. |
|---|
ANNEX B
STANDARD CONTRACTUAL CLAUSES (Modules 2 and 3)
Subject to Section 8.1 of the DPA, where the transfer of Customer Personal Data to Elicit is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the DPA as follows:
In relation to transfers of Customer Personal Data protected by the EU GDPR, the SCCs shall apply as follows:
Module Two terms shall apply (where Customer is the controller of Customer Personal Data) and the Module Three terms shall apply (where Customer is the processor of Customer Personal Data);
in Clause 7, the optional docking clause shall apply and Authorized Affiliates may accede the SCCs under the same terms and conditions as Customer, subject to mutual agreement of the parties;
in Clause 9, option 2 ("general authorization") is selected, and the process and time period for prior notice of Sub-processor changes shall be as set out in Section 4.3 of the DPA;
in Clause 11, the optional language shall not apply;
in Clause 17, option 1 shall apply and the SCCs shall be governed by Irish law;
in Clause 18(b), disputes shall be resolved before the courts of Ireland;
Annex I shall be deemed completed with the information set out in Annex A to the DPA; and
Annex II shall be deemed completed with the information set out in the Security Addendum, subject to Section 6.1 (Security Measures) of the DPA.
In relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs as implemented under Section 1(a) above shall apply with the following modifications:
the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annex A and Annex B to the DPA and the Security Addendum respectively, and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party"; and
Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
In relation to transfers of Customer Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented under Section 1(a) above will apply with the following modifications:
references to "Regulation (EU) 2016/679" and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" and/or "Swiss law" (as applicable);
references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland");
the SCCs shall be governed by the laws of Switzerland; and
disputes shall be resolved before the competent Swiss courts.
Where the Standard Contractual Clauses apply pursuant to Section 8.1 of this DPA, this section sets out the parties' interpretations of their respective obligations under specific provisions of the Clauses, as identified below. Where a party complies with the interpretations set out below, that party shall be deemed by the other party to have complied with its commitments under the Standard Contractual Clauses:
where Customer is itself a processor of Customer Personal Data acting on behalf of a third party controller and Elicit would otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), Elicit may interact solely with Customer and Customer shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;
the certification of deletion described in Clause 16(d) of the SCCs shall be provided by Elicit to Customer upon Customer's written request;
for the purposes of Clause 15(1)(a) the SCCs, Elicit shall notify Customer and not the relevant data subject(s) in case of government access requests, and Customer shall be solely responsible for notifying the relevant data subjects as necessary; and
Taking into account the nature of the processing, Customer agrees that it is unlikely that Elicit would become aware of Customer Personal Data processed by Elicit is inaccurate or outdated. To the extent Elicit becomes aware of such inaccurate or outdated data, Elicit will inform the Customer in accordance with Clause 8.4 SCCs.
Data Processing Addendum
Last updated: April 1, 2025
This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses ("DPA"), forms an integral part of the Elicit Master Services Agreement ("MSA"), or any other written agreement that governs Customer's use of the Elicit Services (as defined below) entered into between the entity identified as the "Customer" in such Agreement ("Customer") and Elicit Research, PBC ("Elicit") (the "Agreement"), and applies solely to the extent that Elicit processes any Customer Personal Data (defined below) in connection with the Elicit Services. Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term "Customer" shall include Customer and its Authorized Affiliates.
1. DEFINITIONS
1.1. "Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA.
1.2. "Authorized Affiliate" means a Customer Affiliate who is authorized to use the Elicit Services under the Agreement and who has not signed their own separate "Agreement" with Elicit.
1.3. "CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.), as may be amended, superseded or replaced from time to time.
1.4. "Customer Content" means, if not defined within the Agreement, all data processed by Elicit on your behalf in the course of providing the Elicit Services.
1.5. "Customer Personal Data" means any 'personal data' or 'personal information' contained within Customer Content.
1.6. "Elicit Services" means the Platform Services (as defined in the Agreement) and/or any other services provided directly by Elicit to the Customer under the Agreement.
1.7. "European Data Protection Laws" means (a) Regulation 2016/679 (General Data Protection Regulation) ("EU GDPR"); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss Data Protection Act"); in each case as may be amended, superseded or replaced from time to time.
1.8. "Restricted Transfer" means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
1.9. "Security Addendum" means all additional controls and documents that support the protection of data, which can be found at https://trust.elicit.com/.
1.10. "Security Breach" means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
1.11. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
1.12. "Subprocessor" means any other processor engaged by Elicit to process Customer Personal Data.
1.13. "UK Addendum" means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
1.14. The terms "controller", "data subject", "supervisory authority", "processor", "process", "processing", "personal data", and "personal information" shall have the meanings given to them in Applicable Data Protection Laws. The term "controller" includes "business", the term "data subject" includes "consumers", and the term "processor" includes "service provider" (in each case, as defined by the CCPA).
2. PROCESSING OF PERSONAL DATA
2.1. Scope and Roles of the Parties
This DPA applies when Customer Personal Data is processed by Elicit as a processor in its provision of the Elicit Services to Customer, who will act as either a controller or processor, as applicable, of Customer Personal Data.
2.2. Customer Processing
Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to Elicit, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Laws for Elicit to process Customer Personal Data and provide the Elicit Services pursuant to the Agreement (including this DPA).
2.3. Elicit Processing
Elicit agrees that (a) when Elicit processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Elicit will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customer's documented instructions (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer's Authorized Users through the Elicit Services). Elicit is not responsible for determining if Customer's processing instructions are compliant with applicable law. However, Elicit shall notify Customer in writing if, in its reasonable opinion, the Customer's processing instructions infringe Applicable Data Protection Laws and provided that Customer acknowledges that Customer Personal Data may be processed on an automated basis in accordance with Customers' use of the Elicit Services, which Elicit does not monitor.
2.4. Details of Processing
The details of the processing of Customer Personal Data by Elicit are set out in Annex A to the DPA.
3. CONFIDENTIALITY
3.1. Personnel
Elicit shall ensure that any employees or personnel it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.
4. SUBPROCESSING
4.1. Authorization
Customer provides a general authorization to Elicit use of Subprocessors to process Customer Personal Data in accordance with this Section, including those Subprocessors listed at https://trust.elicit.com/subprocessors ("Subprocessor List").
4.2. Subprocessor Obligations
Elicit shall (i) enter into a written agreement with its Subprocessors, which includes data protection and security measures no less protective than the measures set forth in this DPA; and (ii) remain fully liable for any breach of the Agreement and this DPA that is caused by an act, error or omission of its Subprocessors to the extent that Elicit would have been liable for such act, error or omission had it been caused by Elicit.
4.3. Subprocessor Changes
We will notify you of subprocessor changes via updates to our publicly available Subprocessor List, available at https://trust.elicit.com/subprocessors, and you may subscribe, at https://trust.elicit.com/updates, to receive email updates when the Subprocessor List is updated.
5. ASSISTANCE
5.1. Data Subject Requests
Customer is responsible for responding to and complying with data subject requests ("DSR"). The Elicit Services include controls that Customer may use to assist it to respond to DSR. If Customer is unable to access or delete any Customer Personal Data using such controls, Elicit shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to the DSR. If a data subject sends a DSR to Elicit directly and where Customer is identified or identifiable from the request, Elicit will promptly forward such DSR to Customer and Elicit shall not, unless legally compelled to do so, respond directly to the data subject except to refer them to the Customer to allow Customer to respond as appropriate.
5.2. Data Protection Impact Assessments
Elicit will provide reasonably requested information regarding the Elicit Services to Customer to carry out data protection impact assessments relating to the processing of Customer Personal Data and any related required consultation with supervisory authorities as required by Applicable Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
5.3. Legal Requests
If Elicit receives a subpoena, court order, warrant or other legal demand from law enforcement or any public or judicial authority seeking the disclosure of Customer Personal Data, Elicit will attempt to redirect the governmental body to request such Customer Personal Data directly from Customer. As part of this effort, Elicit may provide Customer's basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, Elicit will give Customer reasonable notice of the legal demand to allow Customer to seek a protective order or other appropriate remedy, unless Elicit is legally prohibited from doing so.
6. SECURITY
6.1. Security Measures
Elicit has implemented and will maintain appropriate technical and organizational security measures as set forth in the Security Addendum ("Security Measures"). The Security Measures are subject to technical progress and development and Elicit may update the Security Measures, provided that any updates shall not materially diminish the overall security of Customer Personal Data or the Elicit Services. Elicit may make available certain security controls within the Elicit Services that Customer may use in accordance with the Documentation.
6.2. Security Breach Notification
In the event of a Security Breach, Elicit will (a) notify Customer in writing without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects resulting from the Security Breach.
ANNEX A
DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
Subject matter and duration of the processing of Customer Personal Data by Elicit | Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer Personal Data will be processed by Elicit to the extent necessary to provide the Elicit Services to Customer in accordance with the Agreement. The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which Elicit processes Customer Personal Data. |
|---|---|
Nature and purpose of the processing of Customer Personal Data by Elicit | Elicit will process Customer Personal Data as necessary to provide the Elicit Services pursuant to the Agreement, including to: (a) provide, maintain, update and support the Elicit Services; (b) process data and provide Customer with insights and analysis; (c) communicate with Customer about the Elicit Services; (d) provide customer support; (e) maintain the security and integrity of the Elicit Services; and (f) comply with applicable legal obligations. |
Type of Customer Personal Data to be processed by Elicit | Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer Personal Data may include, but is not limited to: (a) identification data (such as name, email address, phone number); (b) professional data (such as job title, company, industry); (c) usage data (such as information about how Customer uses the Elicit Services); (d) technical data (such as IP addresses, device information, browser type); and (e) any other personal data contained in Customer Content processed in the course of the Services. |
Categories of data subjects to whom the Customer Personal Data relates | Data subjects may include Customer's employees, contractors, agents, and end users, as well as any individuals whose personal data is contained in Customer Content processed in the course of the Services. |
Sensitive data transferred (if appropriate) | Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer may include special categories of personal data or similarly sensitive personal data (as described or defined in Applicable Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person's sex life or sexual orientation. |
Frequency of the Transfer | Continuous or one-off depending on the services being provided by Elicit. |
Nature, subject matter and duration of the processing: | Nature: Elicit is building an AI-powered research assistant, as further described in the Agreement. Subject Matter: Customer Personal Data. Duration: The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which Elicit processes Customer Personal Data. |
Purpose(s) of the data transfer and further processing: | Elicit shall process Customer Personal Data for the following purposes: (a) as necessary for the performance of the Elicit Services and Elicit's obligations under the Agreement (including the DPA), including processing initiated by Authorized Users in their use and configuration of the Elicit Services; and (b) further documented, reasonable instructions from Customer agreed upon by the parties (the "Purposes"). |
Period for which the personal data will be retained: | Elicit will retain Customer Personal Data for the term of the Agreement and any period after the termination of expiry of the Agreement during which Elicit processes Customer Personal Data in accordance with the Agreement. |
ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY
Competent supervisory authority | The data exporter's competent supervisory authority will be determined in accordance with the EU GDPR. |
|---|
ANNEX B
STANDARD CONTRACTUAL CLAUSES (Modules 2 and 3)
Subject to Section 8.1 of the DPA, where the transfer of Customer Personal Data to Elicit is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the DPA as follows:
In relation to transfers of Customer Personal Data protected by the EU GDPR, the SCCs shall apply as follows:
Module Two terms shall apply (where Customer is the controller of Customer Personal Data) and the Module Three terms shall apply (where Customer is the processor of Customer Personal Data);
in Clause 7, the optional docking clause shall apply and Authorized Affiliates may accede the SCCs under the same terms and conditions as Customer, subject to mutual agreement of the parties;
in Clause 9, option 2 ("general authorization") is selected, and the process and time period for prior notice of Sub-processor changes shall be as set out in Section 4.3 of the DPA;
in Clause 11, the optional language shall not apply;
in Clause 17, option 1 shall apply and the SCCs shall be governed by Irish law;
in Clause 18(b), disputes shall be resolved before the courts of Ireland;
Annex I shall be deemed completed with the information set out in Annex A to the DPA; and
Annex II shall be deemed completed with the information set out in the Security Addendum, subject to Section 6.1 (Security Measures) of the DPA.
In relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs as implemented under Section 1(a) above shall apply with the following modifications:
the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annex A and Annex B to the DPA and the Security Addendum respectively, and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party"; and
Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
In relation to transfers of Customer Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented under Section 1(a) above will apply with the following modifications:
references to "Regulation (EU) 2016/679" and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" and/or "Swiss law" (as applicable);
references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland");
the SCCs shall be governed by the laws of Switzerland; and
disputes shall be resolved before the competent Swiss courts.
Where the Standard Contractual Clauses apply pursuant to Section 8.1 of this DPA, this section sets out the parties' interpretations of their respective obligations under specific provisions of the Clauses, as identified below. Where a party complies with the interpretations set out below, that party shall be deemed by the other party to have complied with its commitments under the Standard Contractual Clauses:
where Customer is itself a processor of Customer Personal Data acting on behalf of a third party controller and Elicit would otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), Elicit may interact solely with Customer and Customer shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;
the certification of deletion described in Clause 16(d) of the SCCs shall be provided by Elicit to Customer upon Customer's written request;
for the purposes of Clause 15(1)(a) the SCCs, Elicit shall notify Customer and not the relevant data subject(s) in case of government access requests, and Customer shall be solely responsible for notifying the relevant data subjects as necessary; and
Taking into account the nature of the processing, Customer agrees that it is unlikely that Elicit would become aware of Customer Personal Data processed by Elicit is inaccurate or outdated. To the extent Elicit becomes aware of such inaccurate or outdated data, Elicit will inform the Customer in accordance with Clause 8.4 SCCs.