Data Processing Addendum
Last updated: April 1, 2025
This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (“DPA”), forms an integral part of the Elicit Master Services Agreement (“MSA”), or any other written agreement that governs Customer's use of the Elicit Services (as defined below) entered into between the entity identified as the “Customer” in such Agreement (“Customer”) and Elicit Research, PBC (“Elicit”) (the “Agreement”), and applies solely to the extent that Elicit processes any Customer Personal Data (defined below) in connection with the Elicit Services. Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and its Authorized Affiliates.
1. DEFINITIONS
1.1. “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA.
1.2. “Authorized Affiliate” means a Customer Affiliate who is authorized to use the Elicit Services under the Agreement and who has not signed their own separate "Agreement" with Elicit.
1.3. “CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.), as may be amended, superseded or replaced from time to time.
1.4. “Customer Content” means, if not defined within the Agreement, all data processed by Elicit on your behalf in the course of providing the Elicit Services.
1.5. “Customer Personal Data” means any 'personal data' or ‘personal information’ contained within Customer Content.
1.6. “Elicit Services” means the Platform Services (as defined in the Agreement) and/or any other services provided directly by Elicit to the Customer under the Agreement.
1.7. “European Data Protection Laws” means (a) Regulation 2016/679 (General Data Protection Regulation) (“EU GDPR”); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss Data Protection Act”); in each case as may be amended, superseded or replaced from time to time.
1.8. “Restricted Transfer” means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
1.9. “Security Addendum” means all additional controls and documents that support the protection of data, which can be found at https://trust.elicit.com/.
1.10. “Security Breach” means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
1.11. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
1.12. “Subprocessor” means any other processor engaged by Elicit to process Customer Personal Data.
1.13. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
1.14. The terms “controller”, “data subject”, “supervisory authority”, “processor”, “process”, “processing”, “personal data”, and “personal information” shall have the meanings given to them in Applicable Data Protection Laws. The term “controller” includes “business”, the term “data subject” includes “consumers”, and the term “processor” includes “service provider” (in each case, as defined by the CCPA).
2. PROCESSING OF PERSONAL DATA
2.1. Scope and Roles of the Parties. This DPA applies when Customer Personal Data is processed by Elicit as a processor in its provision of the Elicit Services to Customer, who will act as either a controller or processor, as applicable, of Customer Personal Data.
2.2. Customer Processing. Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to Elicit, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Laws for Elicit to process Customer Personal Data and provide the Elicit Services pursuant to the Agreement (including this DPA).
2.3. Elicit Processing. Elicit agrees that (a) when Elicit processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Elicit will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customer’s documented instructions (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer’s Authorized Users through the Elicit Services). Elicit is not responsible for determining if Customer's processing instructions are compliant with applicable law. However, Elicit shall notify Customer in writing if, in its reasonable opinion, the Customer's processing instructions infringe Applicable Data Protection Laws and provided that Customer acknowledges that Customer Personal Data may be processed on an automated basis in accordance with Customers' use of the Elicit Services, which Elicit does not monitor.
2.4. Details of Processing. The details of the processing of Customer Personal Data by Elicit are set out in Annex A to the DPA.
3. CONFIDENTIALITY
3.1. Personnel. Elicit shall ensure that any employees or personnel it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.
4. SUBPROCESSING
4.1. Authorization. Customer provides a general authorization to Elicit use of Subprocessors to process Customer Personal Data in accordance with this Section, including those Subprocessors listed at https://trust.elicit.com/subprocessors (“Subprocessor List”).
4.2. Subprocessor Obligations. Elicit shall (i) enter into a written agreement with its Subprocessors, which includes data protection and security measures no less protective than the measures set forth in this DPA; and (ii) remain fully liable for any breach of the Agreement and this DPA that is caused by an act, error or omission of its Subprocessors to the extent that Elicit would have been liable for such act, error or omission had it been caused by Elicit.
4.3. Subprocessor Changes. We will notify you of subprocessor changes via updates to our publicly available Subprocessor List, available at https://trust.elicit.com/subprocessors, and you may subscribe, at https://trust.elicit.com/updates, to receive email updates when the Subprocessor List is updated.
5. ASSISTANCE
5.1. Data Subject Requests. Customer is responsible for responding to and complying with data subject requests (“DSR”). The Elicit Services include controls that Customer may use to assist it to respond to DSR. If Customer is unable to access or delete any Customer Personal Data using such controls, Elicit shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to the DSR. If a data subject sends a DSR to Elicit directly and where Customer is identified or identifiable from the request, Elicit will promptly forward such DSR to Customer and Elicit shall not, unless legally compelled to do so, respond directly to the data subject except to refer them to the Customer to allow Customer to respond as appropriate.
5.2. Data Protection Impact Assessments. Elicit will provide reasonably requested information regarding the Elicit Services to Customer to carry out data protection impact assessments relating to the processing of Customer Personal Data and any related required consultation with supervisory authorities as required by Applicable Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
5.3. Legal Requests. If Elicit receives a subpoena, court order, warrant or other legal demand from law enforcement or any public or judicial authority seeking the disclosure of Customer Personal Data, Elicit will attempt to redirect the governmental body to request such Customer Personal Data directly from Customer. As part of this effort, Elicit may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, Elicit will give Customer reasonable notice of the legal demand to allow Customer to seek a protective order or other appropriate remedy, unless Elicit is legally prohibited from doing so.
6. SECURITY
6.1. Security Measures. Elicit has implemented and will maintain appropriate technical and organizational security measures as set forth in the Security Addendum (“Security Measures”). The Security Measures are subject to technical progress and development and Elicit may update the Security Measures, provided that any updates shall not materially diminish the overall security of Customer Personal Data or the Elicit Services. Elicit may make available certain security controls within the Elicit Services that Customer may use in accordance with the Documentation.
6.2. Security Breach Notification. In the event of a Security Breach, Elicit will (a) notify Customer in writing without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects resulting from the Security Breach. Elicit will reasonably cooperate with and assist Customer with respect to any required notification to supervisory authorities or data subjects (as applicable), taking into account the nature of the processing, the information available to Elicit, and any restrictions on disclosing the information (such as confidentiality).
7. AUDITS AND RECORDS
7.1. Audit Program. Upon written request and at no additional cost to Customer, Elicit shall provide Customer, and/or its appropriately qualified third-party representative, access to reasonably requested documentation or letters of attestation evidencing Elicit’s commitments to compliance with its obligations under this DPA in the form of the relevant audits or certifications listed in the Security Addendum.
7.2. Audit. Only to the extent Customer cannot reasonably satisfy Elicit compliance with this DPA through the Audit Reports, or where required by Applicable Data Protection Laws, Customer may send a written request to conduct an audit of Elicit applicable controls on an annual basis. Elicit and Customer shall mutually agree on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. The Audit Report, audit, and any information arising therefrom shall be considered Elicit Confidential Information and may only be shared with a third party (including a third party controller) with Elicit prior written agreement.
8. TRANSFER OF PERSONAL DATA
8.1. Restricted Transfers. Where the transfer of Customer Personal Data to Elicit is a Restricted Transfer, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form an integral part of the Agreement in accordance with Annex B of this DPA.
8.2. Alternative Transfer Mechanisms. If and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data to Elicit, the parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or alternative transfer mechanism to enable the lawful transfer of such Customer Personal Data. Additionally, in the event Elicit adopts an alternative transfer mechanism (including any successor version of the Privacy Shield), such alternative transfer mechanism shall apply instead of the SCCs described in Section 8.1 of this DPA (but only to the extent such alternative transfer mechanism complies with applicable European Data Protection Laws and extends to the territories to which Customer Personal Data is transferred).
9. DATA TERMINATION
9.1. No Backups. The Elicit Services do not include backup services or disaster recovery for Customer Personal Data. It is the Customer's obligation to backup any Customer Personal Data if desired.
9.2. Termination. Upon termination or expiration of the Agreement and following Customer’s written request, Elicit will delete or assist Customer in deleting any Customer Personal Data within its possession or control within thirty (30) days following such request.
10. CCPA COMPLIANCE
10.1. Elicit shall not process, retain, use, or disclose Customer Personal Data for any purpose other than for the purposes set out in the Agreement, DPA and as permitted under the CCPA. Elicit shall not sell or share information as those terms are defined under the CCPA.
11. GENERAL
11.1. The parties agree that this DPA shall replace any existing data processing addendum, attachment, exhibit or standard contractual clauses that the parties may have previously entered into in connection with the Elicit Services. Elicit may update this DPA from time to time, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
11.2. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
11.3. Elicit’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) Customer is solely responsible for communicating any additional processing instructions on behalf of its Authorized Affiliates; (b) Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations under this DPA; and (c) if an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against Elicit (“Authorized Affiliate Claim”), Customer must bring such Authorized Affiliate Claim directly against Elicit on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim, and all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability. In no event will this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.
11.4. In the event of any conflict between this DPA and any data privacy provisions set out in any agreements between the parties relating to the Elicit Services, the parties agree that the terms of this DPA shall prevail, provided that if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses control and take precedence.
11.5. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including all Annexes hereto), the SCCs or any data protection agreements in connection with the Agreement (if any), whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability section of the Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Annexes hereto. Customer agrees that any regulatory penalties incurred by Elicit that arise in connection with Customer’s failure to comply with its obligations under this DPA or any laws or regulations including Applicable Data Protection Laws shall reduce Elicit’s liability under the Agreement as if such penalties were liabilities to Customer under the Agreement.
11.6. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
11.7. The obligations placed upon each party under this DPA and the Standard Contractual Clauses shall survive so long as Elicit processes Customer Personal Data on behalf of Customer.
ANNEX A
DESCRIPTION OF THE PROCESSING / TRANSFER
ANNEX 1(A): LIST OF PARTIES | |
Data exporter | Name of the data exporter: The entity identified as the “Customer” in the Agreement and this DPA. Organization Address: Mailing address of Customer as identified in the Agreement or otherwise notified to Data Importer Contact person’s name, position and contact details: The address and contact details associated with Customer's Elicit account, or as otherwise specified in this DPA or the Agreement. Activities relevant to the data transferred: The activities specified in Annex 1(B)below. Role (Controller/Processor): Controller (for Module 2) or Processor (for Module 3). |
Data importer | Name of the data importer: Elicit Research, PBC Organization Address: 1904 Franklin St, Oakland, California, 94612, USA Contact person’s name, position and contact details: Sarah Park, Head of Operations, privacy@elicit.com Activities relevant to the data transferred: The activities specified in Annex 1.B below. Role (Controller/Processor): Processor |
ANNEX 1(B): DESCRIPTION OF THE PROCESSING / TRANSFER | |
Categories of data subjects whose personal data is transferred: | Data subjects include individuals about whom data is provided to Elicit via the Elicit Services (by or at the direction of Customer), which shall include: individual natural persons who are staff, employees, consultants, students, authorized users, customers of, or who are otherwise connected to Customer’s enterprise or institution, or other individual natural persons whose personal data is included in the Customer Content, Customer Materials, or otherwise shared by Customer. |
Categories of personal data transferred: | The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: (a) name, address, title, contact details; and/or (b) any other personal data processed in the course of the Services as Customer Content. |
Sensitive data transferred (if appropriate) | Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer may include special categories of personal data or similarly sensitive personal data (as described or defined in Applicable Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation. |
Frequency of the Transfer | Continuous or one-off depending on the services being provided by Elicit. |
Nature, subject matter and duration of the processing: | Nature: Elicit is building an AI-powered research assistant, as further described in the Agreement. Subject Matter: Customer Personal Data. Duration: The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which Elicit processes Customer Personal Data. |
Purpose(s) of the data transfer and further processing: | Elicit shall process Customer Personal Data for the following purposes: (a) as necessary for the performance of the Elicit Services and Elicit's obligations under the Agreement (including the DPA), including processing initiated by Authorized Users in their use and configuration of the Elicit Services; and (b) further documented, reasonable instructions from Customer agreed upon by the parties (the “Purposes”). |
Period for which the personal data will be retained: | Elicit will retain Customer Personal Data for the term of the Agreement and any period after the termination of expiry of the Agreement during which Elicit processes Customer Personal Data in accordance with the Agreement. |
ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY | |
Competent supervisory authority | The data exporter's competent supervisory authority will be determined in accordance with the EU GDPR. |
ANNEX B
STANDARD CONTRACTUAL CLAUSES (Modules 2 and 3)
1. Subject to Section 8.1 of the DPA, where the transfer of Customer Personal Data to Elicit is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the DPA as follows:
a. In relation to transfers of Customer Personal Data protected by the EU GDPR, the SCCs shall apply as follows:
I. Module Two terms shall apply (where Customer is the controller of Customer Personal Data) and the Module Three terms shall apply (where Customer is the processor of Customer Personal Data);
II. in Clause 7, the optional docking clause shall apply and Authorized Affiliates may accede the SCCs under the same terms and conditions as Customer, subject to mutual agreement of the parties;
III. in Clause 9, option 2 (“general authorization”) is selected, and the process and time period for prior notice of Sub-processor changes shall be as set out in Section 4.3 of the DPA;
IV. in Clause 11, the optional language shall not apply;
V. in Clause 17, option 1 shall apply and the SCCs shall be governed by Irish law; VI. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
VII. Annex I shall be deemed completed with the information set out in Annex A to the DPA; and
VIII. Annex II shall be deemed completed with the information set out in the Security Addendum, subject to Section 6.1 (Security Measures) of the DPA.
b. In relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs as implemented under Section 1(a) above shall apply with the following modifications:
I. the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
II. Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annex A and Annex B to the DPA and the Security Addendum respectively, and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party"; and
III. Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
c. In relation to transfers of Customer Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented under Section 1(a) above will apply with the following modifications:
I. references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
II. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and/or “Swiss law” (as applicable);
III. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”);
IV. the SCCs shall be governed by the laws of Switzerland; and
V. disputes shall be resolved before the competent Swiss courts.
2. Where the Standard Contractual Clauses apply pursuant to Section 8.1 of this DPA, this section sets out the parties' interpretations of their respective obligations under specific provisions of the Clauses, as identified below. Where a party complies with the interpretations set out below, that party shall be deemed by the other party to have complied with its commitments under the Standard Contractual Clauses:
a. where Customer is itself a processor of Customer Personal Data acting on behalf of a third party controller and Elicit would otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), Elicit may interact solely with Customer and Customer shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;
b. the certification of deletion described in Clause 16(d) of the SCCs shall be provided by Elicit to Customer upon Customer's written request;
c. for the purposes of Clause 15(1)(a) the SCCs, Elicit shall notify Customer and not the relevant data subject(s) in case of government access requests, and Customer shall be solely responsible for notifying the relevant data subjects as necessary; and
d. Taking into account the nature of the processing, Customer agrees that it is unlikely that Elicit would become aware of Customer Personal Data processed by Elicit is inaccurate or outdated. To the extent Elicit becomes aware of such inaccurate or outdated data, Elicit will inform the Customer in accordance with Clause 8.4 SCCs.