Critical Research Data Processing Agreement

Last Updated September 12, 2019

Insofar as the Critical Research Corporation (“Data Processor”) will be processing personal data on behalf of a data controller (“Data Controller”) in the course of performing CRC Services, the terms of this Data Processing Agreement (“DPA”) shall apply. Any capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the Agreement. In the event of a conflict between any provisions of the Agreement for CRC Services (the “Agreement”) and this DPA, the provisions of this DPA shall govern and control with regard to the processing of personal data. References to “Data Protection Laws” shall mean any law applicable to Data Processor’s processing or use of personal data, including (to the extent applicable), Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), and The California Consumer Privacy Act of 2018, AB375, Title 1.81.5, including any implementing law, as amended (“CCPA”).

1. Processing.

a) Data Processor will only process, store, and use the personal data it receives from the Data Controller as necessary to provide the CRC Services, the business purposes as set forth in the Agreement, or Data Controller’s prior written instructions. The Data Processor shall never retain, use, disclose, sell, or process the personal data other than as specified in the Data Controller’s documented instructions or as otherwise permitted by law.

b) The Data Controller has all necessary rights to provide the personal data to the Data Processor for the processing to be performed in connection with the CRC Services. To the extent required by Data Protection Laws, the Data Controller is responsible for providing all necessary privacy notices to data subjects, and unless another legal basis set forth in the Data Protection Laws supports the lawfulness of the processing, and for obtaining any necessary consents from data subject to the processing required under the Agreement. Should such a consent be revoked by a data subject, the Data Controller will inform the Data Processor of such revocation, and the Data Processor is responsible for implementing Data Controller’s instruction with respect to the processing of such personal data.

2. Confidentiality.

The Data Processor shall treat all personal data as Confidential Information under the Agreement, and it shall inform all its employees, agents and approved sub-processors engaged in processing the personal data of the confidential nature of the personal data. The Data Processor shall ensure that all such persons or parties have signed confidentiality agreements with obligations no less restrictive in the use and protection of Confidential Information than those in the Agreement.

3. Security Measures.

a) Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of personal data appropriate to the risk. The Data Processor shall maintain and follow written security policies that are fully implemented and applicable to the processing of personal data. At a minimum, such policies will include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the personal data, conducting appropriate background checks, requiring employees, vendors and others with access to personal data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the personal data aware of information security risks presented by the processing.

b) At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Article 3 and shall allow the Data Controller to audit and test such measures, to the extent it does not require providing access to other customers’ data. Subject to such restriction, the Data Processor shall cooperate with such audits carried out by or on behalf of the Data Controller, shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the processing of the personal data, and shall provide the Data Controller´s auditors with access to any information relating to the processing of the personal data as may be reasonably required by the Data Controller to ascertain the Data Processor´s compliance with this DPA.

4. Data Transfers.

For residents of the EU, Switzerland, plus Iceland, Liechtenstein and Norway, Critical Research certifies to the EU-US and Swiss-US Privacy Shield. See our privacy statement specific to Privacy Shield at the following link: https://rumble.run/privacy-shield. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. Data Processor will not transfer any personal data across the border to a country outside of the United States, without the express prior written permission of Data Controller. Data Processor shall promptly notify the Data Controller of any planned permanent or temporary transfers of personal data across the border to a country outside of the United States, and shall only perform such a transfer after obtaining authorization from the Data Controller, which may be withheld at its sole discretion.

5. Security Breach.

The Data Processor will notify the Data Controller without undue delay upon discovery of any suspected or actual security or confidentiality breach or other compromise of personal data, describing the breach in reasonable detail, the status of any investigation or mitigation taken by the Data Processor, and if applicable, the potential number of data subjects affected. Data Processor will not communicate with any third party regarding any security breach except as specified by other party or by applicable law.

6. Subprocessors.

The Data Processor shall not subcontract any of its CRC Services-related activities to the extent such activities involve any processing of personal data received from the Data Controller or allow any personal data to be processed by a third party, without the prior written authorization of the Data Controller.

7. Data Subject Rights.

The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the Data Protection Laws.