Last update: August 1st, 2025
1. Definitions
1.1. “Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
1.2. "Data Subject" means (i) an identified or identifiable natural person who is in the EEA or whose rights are protected by EU Data Protection Laws; or (ii) a "Consumer" as the term is defined in the California Consumer Privacy Act (“CCPA”).
1.3. "Customer Data" means any content, data, information, or other materials (including Personal Information) submitted or shared by or for Customer to or through the Service.
1.4. "Personal Information" means information relating to a living individual or household who is, relates to, describes, or can be reasonably identified or linked, directly or indirectly from information, either alone or in conjunction with other information, within the Company's or Customer's control and which is stored, collected, processed, or submitted to or via the Service as Customer Data. Personal Information includes Personal Data.
1.5. “Authorized Sub-Processor” means a third-party who has a need to know or otherwise access Customer's Personal Data to enable Company to perform its obligations under this DPA or the Agreement, and who is authorized under Section 4.2 of this DPA.
1.6. “Company Account Data” means personal data that relates to Company's relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer's account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
1.7. “Company Usage Data” means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
1.8. “Data Exporter” means Customer.
1.9. “Data Importer” means Company.
1.10. “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the California Consumer Privacy Act (“CCPA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together, collectively, the “GDPR”), (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Act 2018; and (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended, or replaced from time to time. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor,” “controller,” and “supervisory authority” shall have the meanings set forth in the GDPR.
1.11. “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.12. “ex-UK Transfer” means the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.13. “Services” shall have the meaning set forth in the Agreement.
1.14. “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
1.15. “UK SCCs” means the EU SCCs, as amended by the UK Addendum.
1.16. “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time), as modified by Section 6.2 of this DPA.
2. Relationship of the Parties; Processing of Data
2.1. The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the controller and Company is the processor. Each party agrees to comply with the obligations applicable to it in such role under Data Protection Laws with respect to the processing of Personal Data. Customer, as the controller, is solely responsible for ensuring that the processing of Personal Data, including any data submitted or saved via the Services (e.g., information from open-source searches or monitoring activities), complies with Data Protection Laws, including establishing a lawful basis for processing under Article 6 of the GDPR (e.g., consent, legitimate interest, or other applicable grounds) and, where required, conducting a Data Protection Impact Assessment (DPIA) for high-risk processing activities.
2.2. The subject-matter of the processing is the Services, and the processing will be carried out for the duration of the Agreement. Details of the processing are set out in Annex 1 and Annex 3.
2.3. Company shall only process Personal Data on behalf of and in accordance with the Customer’s documented instructions for the following purposes: (i) processing in accordance with the Agreement and applicable order form(s); (ii) processing initiated by authorized users in their use of the Services; and (iii) processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and Data Protection Laws. Company will not process Personal Data for any other purpose, unless required to do so by a court of competent jurisdiction or under any applicable law, regulation, or governmental request. Company reserves the right to reject Customer instructions that it reasonably believes violate Data Protection Laws.
2.4. To the extent that any Customer Data is not Personal Data, Customer grants Company a worldwide, non-exclusive, royalty-free license to use, copy, reproduce, distribute, prepare derivative works of, display, and perform any and all such Customer Data in connection with the Services and as otherwise provided in the Agreement.
3. Confidentiality
3.1. Company will take reasonable steps to ensure that any natural person acting under its authority with access to Personal Data is subject to a duty of confidentiality.
4. Authorized Sub-Processors
4.1. Customer hereby generally authorizes Company to engage Authorized Sub-Processors to process Personal Data on Customer's behalf. The Authorized Sub-Processors currently engaged by Company and authorized by Customer are listed at https://www.becomeanon.com/subprocessors.
4.2. Company shall (i) enter into a written agreement with each Authorized Sub-Processor imposing data protection terms that require the Authorized Sub-Processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Authorized Sub-Processor that cause Company to breach any of its obligations under this DPA.
4.3. Customer may object to Company's use of a new Authorized Sub-Processor by notifying Company in writing within ten (10) business days after receipt of Company's notice in accordance with the mechanism set out at https://www.becomeanon.com/subprocessors. In the event Customer objects to a new Authorized Sub-Processor, as permitted in the preceding sentence, Company will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid processing of Personal Data by the objected-to new Authorized Sub-Processor without unreasonably burdening the Customer. If Company is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect to those Services which cannot be provided by Company without the use of the objected-to new Authorized Sub-Processor by providing written notice to Company. Company will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
5. Security Measures
5.1. Company shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from security incidents and to preserve the security and confidentiality of the Personal Data, in accordance with the measures described in our GDPR Compliance page at https://www.becomeanon.com/gdpr.
5.2. Customer acknowledges that the Security Measures are subject to technical progress and development and that Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
5.3. Company shall ensure that any person who is authorized by Company to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.4. To the extent required by Data Protection Laws, Company will provide Customer with reasonable assistance, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject's rights.
5.5. In the event of a security incident, Company shall, to the extent permitted by law, notify Customer without undue delay after becoming aware of the security incident. Company shall, in connection with any security incident, take appropriate measures to secure the Personal Data and to mitigate the adverse effects of the security incident.
6. International Transfers
6.1. Customer acknowledges that ANON provides Services to clients globally, and as such, Company may transfer Customer Data to and access Customer Data from other countries where Company and its Authorized Sub-Processors have operations to provide the Services.
6.2. For any ex-EEA Transfers or ex-UK Transfers, Company agrees to abide by and process Personal Data in compliance with the Standard Contractual Clauses, which are incorporated into this DPA by reference.
6.3. For the purposes of the EU SCCs:
6.3.1. Module 2 (Controller to Processor) of the EU SCCs will apply where Customer is a controller and Company is a processor.
6.3.2. Clause 7 of the EU SCCs (Docking Clause) will not apply.
6.3.3. Clause 9(a) of the EU SCCs (Use of sub-processors) will be fulfilled by Company complying with Section 4 of this DPA.
6.3.4. Clause 11 of the EU SCCs (Redress) will not apply.
6.3.5. Clause 17 of the EU SCCs (Governing Law) will be the law of Sweden.
6.3.6. Clause 18 of the EU SCCs (Choice of forum and jurisdiction) will be the courts of Sweden.
6.3.7. Annex I and II of the EU SCCs will be deemed completed with the information set out in Annex 1 and 2 of this DPA respectively.
6.4. For the purposes of the UK SCCs, the UK Addendum will be deemed completed as follows:
6.4.1. The information required by Table 1 of the UK Addendum is set out in Annex 1 of this DPA.
6.4.2. The version of the EU SCCs to which the UK Addendum applies is the version in force at the time of the transfer.
6.4.3. Neither party will be entitled to terminate the UK Addendum in accordance with section 19 of the UK Addendum.
7. Miscellaneous
7.1. Except as amended by this DPA, the Agreement will remain in full force and effect.
7.2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
7.3. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.