This Data Protection Addendum (“Addendum“) between CodeRabbit, Inc. (“CodeRabbit”) and the  Customer (as defined in the Agreement) forms part of the CodeRabbit, Inc. Terms of Service set forth  at (https://coderabbit.ai/terms-of-service) or such other written or electronic agreement  incorporating this Addendum, in each case governing Customer’s access to and use of the Services  (the “Agreement”). 

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the  Services under the Agreement and who have not entered into a separate contractual arrangement  with CodeRabbit. For the purposes of this Addendum only, and except where otherwise indicated,  references to “Customer” shall include Customer and such Affiliates. 

The Parties hereby agree that the terms and conditions set out below shall be added as an  Addendum to the Agreement. 

1. Definitions 

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms  shall be construed accordingly: 

o "Addendum Effective Date" has the meaning given to it in section 2; 

o "Affiliate" means an entity that owns or controls, is owned or controlled by or is or  under common control or ownership with either Client or CodeRabbit (as the  context allows), where control is defined as the possession, directly or indirectly, of  the power to direct or cause the direction of the management and policies of an  entity, whether through ownership of voting securities, by contract or otherwise; 

o "Client Personal Data" means any Personal Data Processed by CodeRabbit (i) on  behalf of Client (including for the sake of clarity, any Client Affiliate), or (ii) otherwise  Processed by CodeRabbit, in each case pursuant to or in connection with  

instructions given by Client in writing, consistent with the Terms; 

o "Controller to Processor s" means the Standard Contractual Clauses (processors) for  the purposes of Article 26(2) of Directive 95/46/EC set out in Decision 2010/87/EC as  the same are revised or updated from time to time by the European Commission; 

o "Data Protection Laws" means (i) Directive 95/46/EC and, from May 25, 2018,  Regulation (EU) 2016/679 ("GDPR") together with applicable legislation  

implementing or supplementing the same or otherwise relating to the processing of  Personal Data of natural persons, and (ii) to the extent not included in sub-clause (i),  the Data Protection Act 1998 of the United Kingdom, as amended from time to time,  and including any substantially similar legislation that replaces the DPA 1998; 

o "Privacy Shield" means the EU-US Privacy Shield Framework; and 

o "Services" means the services to be supplied by CodeRabbit to Client or Client  Affiliates pursuant to the Terms. 

1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process",  "Processor" and “Supervisory Authority” have the same meanings as described in applicable Data  Protection Laws, and cognate terms shall be construed accordingly.

1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to  them in the Terms. 

2. Formation of this Addendum 

This Addendum is deemed agreed by the Parties and comes into effect on the “Addendum Effective  Date”, being the later of (i) the date that this Addendum is accepted by Client; and (ii) CodeRabbit. 

3. Roles of the Parties 

The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and  as more fully described in Annex 1 hereto, Client acts as a Controller and CodeRabbit acts as a  Processor (as defined in section 5.2.4 below). 

The Parties expressly agree that Client shall be solely responsible for ensuring timely  communications to Client’s Affiliates or the relevant Controller(s) who receive the Services, insofar  as such communications may be required or useful in light of applicable Data Protection Laws to  enable Client’s Affiliates or the relevant Controller(s) to comply with such Laws. 

4. Description of Personal Data Processing 

In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of  the Processing of the Client Personal Data to be Processed by CodeRabbit pursuant to this  Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable  amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet  those requirements. Annex 1 does not create any obligation or rights for any Party. 

5. Data Processing Terms 

5.1 

Client shall comply with all applicable Data Protection Laws in connection with the performance of  this Addendum. As between the Parties, Client shall be solely responsible for compliance with  applicable Data Protection Laws regarding the collection of and transfer to CodeRabbit of Client  Personal Data. Client agrees not to provide CodeRabbit with any data concerning a natural person’s  health, religion, or any special categories of data as defined in Article 9 of the GDPR. 

5.2 

CodeRabbit shall comply with all applicable Data Protection Laws in the Processing of Client Personal  Data and CodeRabbit shall: 

5.2.1 

process the Client Personal Data relating to the categories of Data Subjects for the purposes of the  Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and  otherwise solely on the documented instructions of Client, for the purposes of providing the Services  and as otherwise necessary to perform its obligations under the Terms including with regard to  transfers of Client Personal Data to a third country outside to an international organization;  CodeRabbit shall immediately inform Client if, in CodeRabbit’s opinion, an instruction infringes  applicable Data Protection Laws;

5.2.2 

ensure that persons authorized to process the Client Personal Data have committed themselves to  confidentiality or are under an appropriate statutory obligation of confidentiality; 

5.2.3 

implement and maintain the technical and organizational measures set out in the Terms and, taking  into account the state of the art, the costs of implementation and the nature, scope, context and  purposes of Processing as well as the risk of varying likelihood and severity for the rights and  freedoms of natural persons, implement any further appropriate technical and organizational  measures necessary to ensure a level of security appropriate to the risk of the Processing of Client  Personal Data as per following: 

(a) pseudonymization and encryption of Client Personal Data; 

(b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and  services that process Client Personal Data; 

(c) restoring availability and access to Client Personal Data in a timely manner in the event of a  physical or technical incident; and 

(d) regularly testing, assessing and evaluating the effectiveness of technical and organizational  measures for ensuring the security of the processing of the Client Personal Data. 

Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an  agreed change control process between CodeRabbit and Client; 

5.2.4 

Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically  authorizes CodeRabbit to engage another Processor to Process the Client Personal Data ("Other  Processor"), and specifically the Other Processors listed in Annex 2 hereto, subject to CodeRabbit's: 

(a)notifying Client of any intended changes to its use of Other Processors listed in Annex 2 by  emailing notice of the intended change to Client; 

(b)including data protection obligations in its contract with each Other Processor that are materially  the same as those set out in this Addendum; and 

(c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations in  relation to the Processing of the Client Personal Data. 

In relation to any notice received under section 5.2.4 a., the Client shall have a period of 30 (thirty)  days from the date of the notice to inform CodeRabbit in writing of any reasonable objection to the  use of that Other Processor. The parties will then, for a period of no more than 30 (thirty) days from  the date of the Client's objection, work together in good faith to attempt to find a commercially  reasonable solution for the Client which avoids the use of the objected-to Other Processor. Where  no such solution can be found, either Party may (notwithstanding anything to the contrary in the  Terms) terminate the relevant Services immediately on written notice to the other Party, without  damages, penalty, or indemnification whatsoever.

5.2.5 

to the extent legally permissible, promptly notify Client of any communication from a Data Subject  regarding the Processing of Client Personal Data, or any other communication (including from a  Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in  respect of the Client Personal Data and, taking into account the nature of the Processing, assist  Client (or the relevant Controller) by appropriate technical and organizational measures, insofar as  this is possible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevant Controller(s)’  obligation to respond to requests for exercising the data subject's rights laid down in Chapter III  GDPR; Client agrees to pay CodeRabbit for time and for out of pocket expenses incurred by  CodeRabbit in connection with the performance of its obligations under this Section 5.2.5; 

5.2.6 

upon CodeRabbit’s becoming aware of a Personal Data Breach involving Client Personal Data, notify  Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice  to include all information reasonably required by Client (or the relevant Controller) to comply with  its obligations under the applicable Data Protection Laws; 

5.2.7 

to the extent required by the applicable Data Protection Laws, provide reasonable assistance to  Client, Client’s Affiliates’ or the relevant Controller(s)’ with its obligations pursuant to Articles 32 to  36 of the GDPR taking into account the nature of the Processing and information available to  CodeRabbit; Client agrees to pay CodeRabbit for time and for out of pocket expenses incurred by  CodeRabbit in connection with any assistance provided in connection with Articles 35 and 36 of the  GDPR; 

5.2.8 

cease Processing the Client Personal Data upon the termination or expiry of the Terms, and at option  of Client, Client’s Affiliates or the relevant Controller(s) either return or delete (including by ensuring  such data is in non-readable format) all copies of the Client Personal Data Processed by CodeRabbit,  unless (and solely to the extent and for such period as) Country law requires storage of the Personal  Data. Notwithstanding the foregoing or anything to the contrary contained herein, CodeRabbit may  

retain Personal Data and shall have no obligation to return Personal Data to the extent required by  applicable laws or regulations obligations. Any such Personal Data retained shall remain subject to  the obligations of confidentiality set forth in the Terms, and 

5.2.9 

make available to Client all information necessary to demonstrate compliance with this Addendum  and allow for and contribute to audits, including inspections, by Client, or an auditor mandated by  Client. For the purposes of demonstrating compliance with this Addendum under section 5.2.9, the  

Parties agree that once per year during the term of the Terms, CodeRabbit will provide to Client, on  reasonable notice, responses to cybersecurity and other assessments. Client agrees to pay  CodeRabbit for time and for out-of-pocket expenses incurred by CodeRabbit in connection with  assistance provided in connection with such audits, responses to cybersecurity, and other  assessments.

6. Transfers 

CodeRabbit is certified by Information Security Management as per SOC 2 Type 2. CodeRabbit shall  notify Client in writing without undue delay if it can no longer comply with its obligations under the  Privacy compliance, and, in such a case, CodeRabbit will have the option of (i) promptly taking  reasonable steps to remediate any non-compliance with applicable obligations under this  Addendum, or (ii) engaging in a good faith dialogue with Client to determine a new data transfer  mechanism to carry out the purposes of the Terms. CodeRabbit acts as a Processor with respect to  Personal Data received pursuant to a data transfer. 

In the event the Privacy Compliance is invalidated, Client and each Client Affiliate (on behalf of the  relevant Controller(s), as the case may be), if applicable (as "data exporter") and CodeRabbit (as  "data importer"), with effect from the commencement of the relevant transfer, shall enter into the  Controller to Processor SCCs (mutatis mutandis, as the case may be) in respect of any transfer (or  onward transfer) from Client or Client Affiliate to CodeRabbit, where such transfer would otherwise  be prohibited by applicable Data Protection Laws or by the terms of data transfer agreements put in  place to address applicable Data Protection Laws. Appendix 1 to the Controller to Processor SCCs  shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Addendum and  the processing operations are deemed to be those described in the Terms. Appendix 2 to the  Controller to Processor SCCs shall be deemed to be prepopulated with the following "Taking into  account state of the art, the costs of implementation and the nature, scope, context, and purposes of  processing as well as the risk of the varying likelihood for the rights and freedoms of natural persons,  CodeRabbit shall implement appropriate technical and organizational measures as set forth in the  Addendum." 

7. Precedence 

The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of  any inconsistency between the provisions of this Addendum and the provisions of the Terms, the  provisions of this Addendum shall prevail. 

8. Indemnity 

To the extent permissible by law, Client shall indemnify and hold harmless CodeRabbit against all (i)  losses, (ii) third-party claims, (iii) administrative fines, and (iv) costs and expenses (including without  limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in  relation to (i), (ii) or iii), suffered by CodeRabbit and that arise from any breach by Client of this  Addendum or of its obligations under applicable Data Protection Laws. 

9. Severability 

The Parties agree that, if any section or sub-section of this Addendum is held by any court or  competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable  any other section of this Addendum. 

9. Others 

The organization ensures that the contract to process PII addresses the organization’s role in  providing assistance with the customer's obligations.

The Agreement considers the following and follows 

a. Privacy by Design and default 

b. Achieving Security of Processing 

c. Notification of breaches involving PII to a Supervisory authority 

d. Notification of breaches involving PII to Customers and PII Principals, 

e. Conducting Privacy Impact Assessment 

f. Assurance of Assistance by the PII Processors if prior consultations with relevant PII Protection  authorities are needed. 

g. CodeRabbit shall inform the customer if, in its opinion, a processing instruction infringes  applicable legislation or regulation. 

h. The organization does not use PII processed under a contract for the purposes of Marketing and  Advertising 

i. Coordinate with Clients to help Audit the systems. The organization provides the customer with  the appropriate information so that it can demonstrate compliance with its obligations 

j. CodeRabbit shall use GCP as subprocessor with Security and Privacy requirements full filled. 

k. The organization shall comply with all statutory and regulatory requirements, SOC 2, and EU GDPR  requirements. 

l. The Data shall be deleted, or de-identified after the processing is complete (This is after the  retention period selected is complete). 

m. CodeRabbit shall inform 24 hours in advance to clients in case of any legally binding requests for  disclosure of PII. 

n. For Access, Correction, and/or Erasure of the PII of Data subjects can be done by contacting  the Data Protection Officer (DPO) below. Also, raising concerns and/or any complaints related  with PII that can be done by contacting the Data Protection Officer below: 

Name: Vishavjeet Kaur 

Email ID: [email protected] 

Contact Number: +1 - 888 - 247 - 5357

Annex 1: Description of Processing of Client Personal Data 

This Annex includes certain details of the Processing of Client Personal Data as required by  Article 28(3) GDPR and, as applicable, Controller to Processor SCC. 

Subject matter and duration of the Processing of the Personal Data 

The subject matter and duration of the Processing of the Client's Personal Data are set  out in Section 2 of the Terms. 

The nature and purpose of the Processing of Personal Data 

Due diligence and Background Verification of Organizations and Individuals. 

The categories of Data Subject to whom the Client's Personal Data relates - Employees and Contractors of Clients. 

The types of Client Personal Data to be Processed 

Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language,  Phone, Related person, Related URL, User ID, and Username 

Special categories of data 

None 

The obligations and rights of Client 

The obligations and rights of Client are set out in the Terms and this Addendum. 

Data exporter (as applicable) 

The data exporter is: Client of CodeRabbit that uses the Services 

Data importer (as applicable) 

The data importer is: CodeRabbit, a company that provides services to the client, which  requires receiving the Client’s query data 

Processing operations (as applicable) 

The personal data transferred will be subject to the following basic processing activities:  The provision of CodeRabbit Limited to Client for Due Dillegence and Background  Verification as per Client requirements. 

Annex 2: Authorized Other Processors