Data Processing Agreement

CoreWeave Data Processing Agreement (DPA)

Last updated August 11, 2022

This Data Processing Addendum (“DPA”) is subject to, incorporated with, and part of, the CoreWeave Terms of Service (“TOS”) and is entered into between CoreWeave, Inc. (“CoreWeave”) and the customer identified in the TOS (“Customer”). CoreWeave and Customer shall be collectively referred to herein as “Parties” and individually as a “Party”.

The parties agree as follows:

1. Definitions.

“Authorized Affiliate” means any of Customer’s affiliate(s) permitted to or otherwise receiving the benefit of CoreWeave Services pursuant to the TOS.

“Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

“CoreWeave Services” means any product or service provided by CoreWeave to Customer or its Authorized Affiliates pursuant to and as more particularly described in the TOS, including the CoreWeave Cloud Platform.

“Data Protection Laws” means all applicable laws and regulations, including, without limitation, laws and regulations of the European Union; the European Economic Area and their member states; Switzerland; the United Kingdom; Canada and its provinces; the People's Republic of China; and the United States and its individual states; applicable to the Processing of Personal Data under this DPA, and include without limitation, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”); the California Consumer Privacy Act of 2018, as amended from time to time, and including any implementing regulations (“CCPA”); the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”); the Personal Information Protection Law of the People’s Republic of China, Adopted at the 30th meeting of the Standing Committee of the 13th National People's Congress on August 20, 2021.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Personal Data” means any information CoreWeave Processes for Customer or its Authorized Affiliates that (i) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in CoreWeave’s possession or control or that CoreWeave is likely to have access to, or any other information that is defined as “personal information” or “personal data” under any applicable Data Protection Laws.

“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other activity that the relevant Data Protection Laws may otherwise include in the definition of processing.

“Processor” means an entity that processes Personal Data on behalf of the Controller.

“Security Incident” means any act or omission that compromises the security, confidentiality or integrity of Personal Data or the physical, technical, administrative or organizational safeguards put in place to protect it that rises to the level of a security breach or incident under the applicable Data Protection Laws.

“Service Provider” means a Processor Processing Personal Data as a “service provider” as defined under applicable Data Protection Laws.

“Standard Contractual Clauses” means the Standard Contractual Clauses based on the Commission Decision C(2010)593 Standard Contractual Clauses (Model 2: controller to processor) found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as set out in the Annex to Commission Decision (EU) 2021/914, which are incorporated herein by reference, and which a completed copy of the applicable Annexes are attached as Appendix B.

“Sub-processor” means any Processor engaged by CoreWeave or its affiliates to assist in fulfilling its obligations with respect to providing CoreWeave Services pursuant to the TOS or this DPA. Contact CoreWeave for a list of approved Sub-processors.

2. Applicability.

This DPA applies where and only to the extent that CoreWeave processes Personal Data on behalf of the Customer or its Authorized Affiliates in the course of providing CoreWeave Services that is subject to protection under Data Protection Laws. Appendix A describes the general Personal Data categories and Data Subject types CoreWeave may Process in connection with the providing the CoreWeave Services pursuant to the TOS.

3. Processing of Personal Data.

Role of the Parties. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a Controller and a Processor (such as GDPR), Customer is the Controller and CoreWeave is the Processor. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a business and a Service Provider, (such as CCPA and PIPEDA), CoreWeave is the Service Provider. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a Personal Information Processor and an Entrusted Party, Customer is the Personal Information Processor and CoreWeave is the Entrusted Party. Nothing in this DPA or in the TOS shall be construed as to state or imply that CoreWeave has a direct relationship with the individual customers or users of Customer or its Authorized Affiliates or that CoreWeave is acting as a Controller under Data Protection Laws.

Customer Obligations. Customer shall, in its use of the CoreWeave Services, Process Personal Data in accordance with, and in compliance with, all applicable laws, including, without limitation, Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Customer acquired any Personal Data, including, without limitation, receiving all necessary consents of each Data Subject and ensuring the accuracy of all Personal Data.

CoreWeave Processing of Personal Data. CoreWeave agrees to Process Personal Data on behalf of and in accordance with Customer’s documented written instructions in connection with: (i) Processing in accordance with this DPA and the TOS; (ii) Processing in relation to the providing the CoreWeave Services; or (iii) Processing otherwise required pursuant to applicable Data Protections Laws. The Parties agree that this DPA and the TOS set out Customer’s complete and final instructions to CoreWeave in relation to the Processing of Personal Data and any processing outside the scope of such instructions (if any) shall require prior written agreement between Customer and CoreWeave.

4. Sub-processing.

Authorized Sub-processors. Customer understands and agrees that CoreWeave may engage Sub-processors from time to time to process Personal Data on Customer's or its Authorized Affiliates’ behalf. Customer consents to the use of CoreWeave’s current Sub-processors. In the event that CoreWeave intends to engage a new Sub-processor with respect to the CoreWeave Services, CoreWeave will update this list and send notification to Customer.

Sub-processor Obligations. When applicable, CoreWeave shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause CoreWeave to breach any of its obligations under this DPA.

Objection to Sub-processors. Customer may object in writing to CoreWeave’s appointment of a Sub-processor on reasonable grounds relating to data protection by notifying CoreWeave promptly in writing within five (5) calendar days of receipt of CoreWeave’s notice in accordance with this DPA. Such notice shall explain the reasonable grounds for the objection. In such event, the Parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either Party may terminate the applicable CoreWeave Services that cannot be provided by CoreWeave without the use of the objected-to-new Sub-processor.

5. Security.

Security Measures. CoreWeave shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with CoreWeave's security standards described here (“Security Measures”).

Confidentiality of Processing. CoreWeave shall ensure that any person who is authorized by CoreWeave to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

Security Incident Response. Upon becoming aware of a Security Incident, CoreWeave shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that CoreWeave may update or modify the Security Measures from time to time.

6. Security Reports and Audits.

Upon Customer's written request, CoreWeave shall provide (on a confidential basis) copies of relevant external certifications, audit report summaries and/or other documentation reasonably required by Customer to verify CoreWeave's compliance with this DPA. CoreWeave shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm CoreWeave's compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

7. International Transfers.

If Data Protection Laws restrict cross-border Personal Data transfers, Customer will, and will cause its Authorized Affiliates so, only transfer that Personal Data to CoreWeave under the following conditions: (i) CoreWeave, either through its location or participation in a valid cross-border transfer mechanism under Data Protection Laws, as identified in Appendix A, may legally receive that Personal Data, or (ii) the transfer otherwise complies with Data Protection Laws for the reasons set forth in Appendix A. If any Personal Data transfer between Customer and CoreWeave requires execution of Standard Contractual Clauses in order to comply with Data Protection Laws, the Parties agree the Standard Contractual Clauses will thereby be deemed incorporated herein, and will complete all relevant details in, and execute, the annexes to the Standard Contractual Clauses contained in Appendix B, and take all other actions required to legitimize the transfer. In the event of a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

8. Return or Deletion of Data.

Upon deactivation of CoreWeave Services, all Personal Data shall be deleted pursuant to CoreWeave’s retention and deletion policies. Notwithstanding the foregoing, CoreWeave reserves the right to retain relevant data and information when required by applicable law; when under court order, subpoena, or other legal order; or when preserving evidence following or in anticipation of a civil or criminal lawsuit.

9. Cooperation.

Cooperation. CoreWeave shall (at Customer's expense), taking into account the nature of the processing, provide reasonable cooperation to assist Customer in responding to a Data Subject request made under applicable Data Protection Laws relating to the processing of Personal Data under the TOS. In the event that any such Data Subject request is made directly to CoreWeave, CoreWeave shall not respond to such request directly without Customer's prior authorization, unless legally compelled to do so (as determine in CoreWeave’s good faith discretion). If CoreWeave is required to respond to a Data Subject request, CoreWeave shall promptly notify Customer and provide Customer with a copy of such Data Subject Request (to the extent legally permitted).

Data Impact Assessment. To the extent CoreWeave is required under applicable Data Protection Laws, CoreWeave shall (at Customer's expense) provide reasonably requested information regarding CoreWeave's Processing of Personal Data under the TOS to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

10. Sale of Personal Data.

CoreWeave shall: (a) not sell the Personal Data (including to the extent of the definition of “sell” as defined in the CCPA); (b) not retain, use or disclose Personal Data for any purpose other than for performing the CoreWeave Services, in compliance with the TOS, or as otherwise permitted by applicable Data Protection Laws; (c) not retain, use or disclose the Personal Data for a commercial purpose (including to the extent of the definition of “commercial purpose” as defined in the CCPA) other than the agreed purposes set forth in the TOS; and (d) not retain, use, or disclose Personal Data outside of the direct business relationship between CoreWeave and Customer, except as may otherwise be provided in this DPA. CoreWeave hereby certifies that it understands and is willing to abide by the restrictions in this Section.

11. Miscellaneous.

Notice Requirements. Any notices required to be delivered by CoreWeave to Customer shall be sent to [EMAIL]. Any notices required to be delivered by Customer to CoreWeave hereunder shall be sent to [email protected].

Term. CoreWeave will Process Personal Data for the duration of the DPA, unless otherwise agreed in writing.

Severability. If one or more provisions of this DPA are held to be unenforceable under applicable law, the Parties agree to renegotiate such provision in good faith. In the event that such provision was not required by the Data Protection Laws and the Parties cannot reach a mutually agreeable and enforceable replacement, then (a) such provision shall be excluded from this DPA, (b) the balance of this DPA shall be interpreted as if such provision were so excluded, and (c) the balance of this DPA shall be enforceable in accordance with its terms.

Limitation of Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to those limitations of liability set forth in the TOS and any reference in the TOS limiting a Party’s liability means the aggregate liability of that Party under the TOS and this DPA.

Governing Law. Apart from the specific provisions and requirements governed by Data Protection Laws, this DPA and all acts and transactions pursuant hereto and the rights and obligations of the Parties hereto shall be governed, construed and interpreted in accordance with the laws of the State of New York, USA, without giving effect to principles of conflicts of law. The Standard Contractual Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland. Any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of an EU Member State. The Parties agree that those shall be the courts of Dublin, Ireland.

APPENDIX A

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Business Purposes: Performance of CoreWeave’s Services pursuant to the TOS.

Personal Data Categories:

Data Subject Types:

Approved Sub-processors:

Identify Counterparty’s legal basis for receiving Personal Data with cross-border transfer restrictions (select one):

Located in an EEA Member State or in a country with a current determination of adequacy (list country): ___________________________
Binding Corporate Rules
Standard Contractual Clauses
Other (describe in detail):_______________________________________________________

APPENDIX B

STANDARD CONTRACTUAL CLAUSES

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: … Address: … Contact person’s name, position and contact details: … Activities relevant to the data transferred under these Clauses: … Signature and date: … Role (controller/processor): …

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: … Address: … Contact person’s name, position and contact details: … Activities relevant to the data transferred under these Clauses: … Signature and date: … Role (controller/processor): …

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred ………………………..

Categories of personal data transferred ………………………..

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.………………………..

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).…………………………

Nature of the processing…………………………

Purpose(s) of the data transfer and further processing………………………..

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period ……………………..

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 ………………………….

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

ANNEX II - LIST OF SUB-PROCESSORS

Contact CoreWeave for a list of approved Sub-processors.

Last updated August 11, 2022​

1. Definitions.​

2. Applicability.​

3. Processing of Personal Data.​

4. Sub-processing.​

5. Security.​

6. Security Reports and Audits.​

7. International Transfers.​

8. Return or Deletion of Data.​

9. Cooperation.​

10. Sale of Personal Data.​

11. Miscellaneous.​

APPENDIX A​

PERSONAL DATA PROCESSING PURPOSES AND DETAILS​

APPENDIX B​

STANDARD CONTRACTUAL CLAUSES​

ANNEX I​

A. LIST OF PARTIES​

B. DESCRIPTION OF TRANSFER​

C. COMPETENT SUPERVISORY AUTHORITY​