Data Processing Addendum

Last updated: April 1, 2025

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses ("DPA"), forms an integral part of the Elicit Master Services Agreement ("MSA"), or any other written agreement that governs Customer's use of the Elicit Services (as defined below) entered into between the entity identified as the "Customer" in such Agreement ("Customer") and Elicit Research, PBC ("Elicit") (the "Agreement"), and applies solely to the extent that Elicit processes any Customer Personal Data (defined below) in connection with the Elicit Services. Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term "Customer" shall include Customer and its Authorized Affiliates.

1. DEFINITIONS

1.1. "Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA.

1.2. "Authorized Affiliate" means a Customer Affiliate who is authorized to use the Elicit Services under the Agreement and who has not signed their own separate "Agreement" with Elicit.

1.3. "CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.), as may be amended, superseded or replaced from time to time.

1.4. "Customer Content" means, if not defined within the Agreement, all data processed by Elicit on your behalf in the course of providing the Elicit Services.

1.5. "Customer Personal Data" means any 'personal data' or 'personal information' contained within Customer Content.

1.6. "Elicit Services" means the Platform Services (as defined in the Agreement) and/or any other services provided directly by Elicit to the Customer under the Agreement.

1.7. "European Data Protection Laws" means (a) Regulation 2016/679 (General Data Protection Regulation) ("EU GDPR"); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss Data Protection Act"); in each case as may be amended, superseded or replaced from time to time.

1.8. "Restricted Transfer" means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).

1.9. "Security Addendum" means all additional controls and documents that support the protection of data, which can be found at https://trust.elicit.com/.

1.10. "Security Breach" means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

1.11. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.

1.12. "Subprocessor" means any other processor engaged by Elicit to process Customer Personal Data.

1.13. "UK Addendum" means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.

1.14. The terms "controller", "data subject", "supervisory authority", "processor", "process", "processing", "personal data", and "personal information" shall have the meanings given to them in Applicable Data Protection Laws.

2. PROCESSING OF PERSONAL DATA

2.1. Scope and Roles of the Parties. This DPA applies when Customer Personal Data is processed by Elicit as a processor in its provision of the Elicit Services to Customer, who will act as either a controller or processor, as applicable, of Customer Personal Data.

2.2. Customer Processing. Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to Elicit, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Laws for Elicit to process Customer Personal Data and provide the Elicit Services pursuant to the Agreement (including this DPA).

2.3. Elicit Processing. Elicit agrees that when Elicit processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Elicit will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customer's documented instructions. Elicit shall notify Customer in writing if, in its reasonable opinion, the Customer's processing instructions infringe Applicable Data Protection Laws.

2.4. Details of Processing. The details of the processing of Customer Personal Data by Elicit are set out in Annex A to the DPA.

3. CONFIDENTIALITY

3.1. Personnel. Elicit shall ensure that any employees or personnel it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.

4. SUBPROCESSING

4.1. Authorization. Customer provides a general authorization to Elicit use of Subprocessors to process Customer Personal Data in accordance with this Section, including those Subprocessors listed at https://trust.elicit.com/subprocessors.

4.2. Subprocessor Obligations. Elicit shall (i) enter into a written agreement with its Subprocessors, which includes data protection and security measures no less protective than the measures set forth in this DPA; and (ii) remain fully liable for any breach of the Agreement and this DPA that is caused by an act, error or omission of its Subprocessors.

4.3. Subprocessor Changes. We will notify you of subprocessor changes via updates to our publicly available Subprocessor List, available at https://trust.elicit.com/subprocessors, and you may subscribe at https://trust.elicit.com/updates to receive email updates when the Subprocessor List is updated.

5. ASSISTANCE

5.1. Data Subject Requests. Customer is responsible for responding to and complying with data subject requests ("DSR"). If Customer is unable to access or delete any Customer Personal Data using the Elicit Services controls, Elicit shall reasonably cooperate with Customer to enable Customer to respond to the DSR.

5.2. Data Protection Impact Assessments. Elicit will provide reasonably requested information regarding the Elicit Services to Customer to carry out data protection impact assessments relating to the processing of Customer Personal Data.

5.3. Legal Requests. If Elicit receives a subpoena, court order, warrant or other legal demand seeking the disclosure of Customer Personal Data, Elicit will attempt to redirect the governmental body to request such Customer Personal Data directly from Customer. If compelled to disclose, Elicit will give Customer reasonable notice to allow Customer to seek a protective order or other appropriate remedy, unless Elicit is legally prohibited from doing so.

6. SECURITY

6.1. Security Measures. Elicit has implemented and will maintain appropriate technical and organizational security measures as set forth in the Security Addendum. The Security Measures are subject to technical progress and development and Elicit may update the Security Measures, provided that any updates shall not materially diminish the overall security of Customer Personal Data or the Elicit Services.

6.2. Security Breach Notification. In the event of a Security Breach, Elicit will (a) notify Customer in writing without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects resulting from the Security Breach.

7. AUDITS AND RECORDS

7.1. Audit Program. Upon written request and at no additional cost to Customer, Elicit shall provide Customer access to reasonably requested documentation or letters of attestation evidencing Elicit's compliance with its obligations under this DPA.

7.2. Audit. Only to the extent Customer cannot reasonably satisfy Elicit compliance through the Audit Reports, Customer may send a written request to conduct an audit of Elicit applicable controls on an annual basis. The Audit Report and any information arising therefrom shall be considered Elicit Confidential Information.

8. TRANSFER OF PERSONAL DATA

8.1. Restricted Transfers. Where the transfer of Customer Personal Data to Elicit is a Restricted Transfer, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form an integral part of the Agreement in accordance with Annex B of this DPA.

8.2. Alternative Transfer Mechanisms. If and to the extent that a court of competent jurisdiction or a supervisory authority orders that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data to Elicit, the parties shall reasonably cooperate to agree and take any actions required to implement any additional measures or alternative transfer mechanism.

9. DATA TERMINATION

9.1. No Backups. The Elicit Services do not include backup services or disaster recovery for Customer Personal Data. It is the Customer's obligation to backup any Customer Personal Data if desired.

9.2. Termination. Upon termination or expiration of the Agreement and following Customer's written request, Elicit will delete or assist Customer in deleting any Customer Personal Data within its possession or control within thirty (30) days following such request.

10. CCPA COMPLIANCE

10.1. Elicit shall not process, retain, use, or disclose Customer Personal Data for any purpose other than for the purposes set out in the Agreement and DPA. Elicit shall not sell or share information as those terms are defined under the CCPA.

11. GENERAL

11.1. The parties agree that this DPA shall replace any existing data processing addendum, attachment, exhibit or standard contractual clauses that the parties may have previously entered into in connection with the Elicit Services. Elicit may update this DPA from time to time, provided that no such update shall materially diminish the privacy or security of Customer Personal Data.

11.2. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

11.3. Elicit's obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) Customer is solely responsible for communicating any additional processing instructions on behalf of its Authorized Affiliates; (b) Customer shall be responsible for Authorized Affiliates' compliance with this DPA.

11.4. In the event of any conflict between this DPA and any data privacy provisions set out in any agreements between the parties relating to the Elicit Services, the parties agree that the terms of this DPA shall prevail, provided that if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses control and take precedence.

11.5. Each party's liability arising out of or related to this DPA shall remain subject to the limitation of liability section of the Agreement.

11.6. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

11.7. The obligations placed upon each party under this DPA and the Standard Contractual Clauses shall survive so long as Elicit processes Customer Personal Data on behalf of Customer.

ANNEX A — DESCRIPTION OF THE PROCESSING / TRANSFER

Data exporter: The entity identified as the "Customer" in the Agreement and this DPA.

Data importer: Elicit Research, PBC, 1904 Franklin St, Oakland, California, 94612, USA. Contact: Sarah Park, Head of Operations, [email protected].

Categories of data subjects: Individuals about whom data is provided to Elicit via the Elicit Services, including staff, employees, consultants, students, authorized users, customers of, or who are otherwise connected to Customer's enterprise or institution.

Categories of personal data transferred: The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include name, address, title, contact details, and any other personal data processed in the course of the Services as Customer Content.

Frequency of the Transfer: Continuous or one-off depending on the services being provided by Elicit.

Nature and subject matter of processing: Elicit is building an AI-powered research assistant. Customer Personal Data is processed for the term of the Agreement and any period after termination during which Elicit processes Customer Personal Data.

Competent supervisory authority: The data exporter's competent supervisory authority will be determined in accordance with the EU GDPR.

ANNEX B — STANDARD CONTRACTUAL CLAUSES

Where the transfer of Customer Personal Data to Elicit is a Restricted Transfer, such transfer shall be governed by the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914), incorporated as follows: