CoStar Global Modular Data Processing Addendum

Last Updated: January 15, 2026

Learn more about our Global DPA. See our overview of how our modular data processing terms work.

This Data Processing Addendum (this “DPA”), including the Standard Contractual Clauses and any other transfer addenda (together, “Transfer Agreements”), as applicable and incorporated by reference, forms part of and supplements the existing agreement for Services between CoStar Realty Information, Inc. and its Affiliates (“CoStar” or “Company”) and the counterparty identified in the agreement and its Affiliates (“Customer”), including any addenda or schedules in the agreement (collectively “Agreement”). This DPA sets out the Parties’ data-protection obligations whenever Personal Data is Processed in connection with the Services, including (a) Controller-Controller exchanges and (b) where Schedule A expressly designates CoStar as Processor for defined Customer Personal Data. This DPA applies automatically to each product or feature identified in Schedule A that Customer purchases or enables; sections for products not purchased or enabled do not apply. To the extent you are using any Services absent any offline agreement, you will be deemed to have accepted this DPA and applicable Transfer Agreements upon acceptance or execution of the applicable Terms of Use.

Capitalized terms have the meanings given in Section 1. Each of CoStar and Customer is a “Party,” and together the “Parties.” In the event of a conflict between this DPA and the Agreement, this DPA controls to the extent the conflict relates to Processing of Personal Data or international data transfers.

1. DEFINITIONS

“Algorithmic Impact Assessment” means an assessment designed to identify and mitigate potential impacts (including accuracy, bias, fairness, security, privacy, and safety risks) arising from the use of AI Systems or advanced analytics in connection with the Services. 

“Approved Addendum” or “UK Addendum” means the template addendum issued by the UK Information Commissioner’s Office under s119A of the Data Protection Act 2018 (effective 21 March 2022), as amended from time to time. 

“Adequate Country” means a country or territory that the European Commission has determined provides an adequate level of protection for Personal Data. “UK Adequate Country” means a country or territory the UK Government has determined provides adequate protection for Personal Data for UK transfer purposes. 

“Applicable Data Protection Law” means any applicable supranational, national, state, or local laws and regulations, as revised from time to time, related to data protection, privacy, and security that apply to the Parties with regard to the Processing of Personal Data under this DPA, including, to the extent applicable, (a) EU/EEA/UK/Swiss data protection laws, including the GDPR, UK GDPR and the UK Data Protection Act 2018 (as amended by the UK Data Use and Access Act 2025), the ePrivacy Directive and national implementations, and Switzerland’s Federal Act on Data Protection; and (b) Non-EU Data Protection Laws, including without limitation: the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (“CCPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CTDPA”), Virginia Consumer Data Protection Act (“VCDPA”), Utah Consumer Privacy Act (“UCPA”), Texas Data Privacy and Security Act (“TDPSA”), Oregon Consumer Privacy Act (“OCPA”), Delaware Personal Data Privacy Act (“DPDPA”), New Jersey Data Privacy Act (“NJDPA”), Tennessee Information Protection Act (“TIPA”), Minnesota Consumer Data Privacy Act (“MCDPA”), Maryland Online Data Privacy Act (“MODPA”), Florida Digital Bill of Rights (“FDBR”), Washington My Health My Data Act (“MHMD”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), Québec Law 25, and Brazil’s Lei Geral de Proteção de Dados (“LGPD”), in each case as amended or replaced. 

• “EEA” means the European Economic Area (the European Union, Iceland, Liechtenstein, and Norway).
• “EU” means the European Union.
• “EU Data Protection Law” means the General Data Protection Regulation (“GDPR”), the ePrivacy Directive (2002/58/EC) and national implementations, and related member-state laws.
• “Non-EU Data Protection Laws” has the meaning set out in Applicable Data Protection Law above.
• “Switzerland” means the Swiss Confederation.
• “Swiss Data Protection Law” means the Swiss Federal Act on Data Protection and related ordinances.
• “UK” means the United Kingdom of Great Britain and Northern Ireland.
• “UK Data Protection Law” means the UK GDPR and the Data Protection Act 2018, as amended by the UK Data (Use and Access) Act 2025, and related regulations.

“AI Systems” “Artificial Intelligence” or “AI” means a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. 

“AI Act Roles” (“Provider,” “Deployer”/“User,” “Importer,” “Distributor,” “General-Purpose AI (GPAI),” “Systemic GPAI,” “High-Risk AI System,” “Low-Risk AI System”) have the meanings given in the EU Artificial Intelligence Act, as applicable to the Services. 

“Business,” “Service Provider,” and “Contractor” have the meanings given in the CCPA. 

“Company-Controlled Personal Data” means Personal Data that Company determines to collect or otherwise process for its own purposes (e.g., account data, platform telemetry, directory/listing curation, fraud prevention, analytics, and advertising/measurement where permitted). 

“Conformity Assessment” means process required under applicable EU legislation (including the EU AI Act) to determine whether an AI System meets specified safety, quality, and performance requirements before being made available, imported, or deployed in the EU. 

“Controller,” “Processor,” “Joint Controller,” “Personal Data Breach,” and “Processing” (and “Process”) have the meanings given in the GDPR (and include equivalent terms under other Applicable Data Protection Laws). Where the CCPA applies: “Controller” includes “Business”; “Processor” includes “Service Provider”/“Contractor.” 

“Controller Personal Data” means any Personal Data one Party provides or makes available to the other Party under the Agreement in connection with that Party’s provision or use of the Services as a Controller. 

“Customer Personal Data” means Personal Data provided by Customer to Company for Company to Process on Customer’s documented instructions where the Agreement or a schedule identifies Company as Processor. 

“Data Privacy Framework” or “DPF” means, as applicable, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework. 

“Data Subject” means an identified or identifiable natural person whose Personal Data are Processed under or in connection with the Agreement (and includes equivalent terms, such as “consumer,” under other Applicable Data Protection Laws). 

“EU AI Act” means the Regulation (EU) 2023/206 of the European Parliament and of the Council of 20 July 2023 laying down harmonized rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts, aimed at ensuring the safe and lawful development, deployment, and use of artificial intelligence within the European Union. 

“Personal Data” means data or information relating to an identified or identifiable Data Subject (and includes equivalent terms, such as “personal information,” under other Applicable Data Protection Laws. “Personal Information”). 

“Services” means the services described in the Agreement, including access to and use of the Company’s products or platforms and any related support. 

“Share,” “Shared,” or “Sharing” means disclosure of Personal Data to another party for cross-context behavioral or targeted advertising, whether or not for monetary or other valuable consideration. 

“Standard Contractual Clauses” or “SCCs” means, as applicable: (a) the European Commission’s standard contractual clauses for international transfers of Personal Data (currently Commission Implementing Decision (EU) 2021/914), including, as relevant to the Parties’ roles, Module One (Controller-Controller), Module Two (Controller-Processor), and/or Module Three (Processor-Processor); (b) for UK transfers, the Approved Addendum to the SCCs; and (c) for Swiss transfers, the Swiss-specific addendum language necessary for use of the SCCs, in each case as updated or replaced. 

2. ROLES AND SCOPE

2.1 Application. This DPA governs the Processing of Personal Data by the Parties in connection with the Services to the extent such Processing is subject to Applicable Data Protection Law. Each Party shall at all times comply with all applicable requirements of Applicable Data Protection Laws. 

2.2 Default Roles (Controller-Controller). Except as expressly stated in Annex A, each Party acts as an independent Controller for Personal Data it Processes in connection with the Services, and Section 3 (Controller-Controller) applies. 

2.3 Processor Terms. The Controller-Processor terms in Section 4 apply automatically and only to the specific dataset(s) or feature(s) for any product identified in Annex A as Processor Processing (including where Customer acts for a third-party Controller and appoints CoStar as Subprocessor). Such terms shall apply where Customer purchases or enables an applicable product or feature. CoStar will process Customer Personal Data solely (a) on Customer’s documented instructions; and (b) for the purposes and duration applicable to such product or feature. For all other Processing, the Parties are independent Controllers and Section 3 applies. 

2.4 Products Not Purchased or Enabled. Sections related to products or features that Customer does not purchase or enable shall not apply. 

2.5 Conflicts. If there is any inconsistency regarding roles for a product or dataset, Annex A controls for that product or dataset. In all cases, international transfers are governed first by Section 3.4 and any applicable the applicable Transfer Agreement. Conflicts between this DPA and any applicable Transfer Agreement will be governed by the Transfer Agreement. 

3. CONTROLLER-CONTROLLER MODULE

3.1 Independent Controllers. For purposes of Applicable Data Protection Law, each Party is an independent Controller of the Controller Personal Data that it collects or otherwise Processes pursuant to the Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Applicable Data Protection Law. The Parties agree that they are not joint Controllers of any Controller Personal Data. Each Party will individually determine the purposes and means of its Processing of Controller Personal Data. If the Parties later agree that they act as joint controllers for a specific activity, they will document a separate joint Controller arrangement in writing. 

3.2 Obligations of the Parties. Each Party represents and warrants that: (a) it has the necessary right and authority to enter into this DPA and the ability to perform its obligations herein; (b) its execution and performance under this DPA and the Agreement will not violate any agreement to which it is a party; and (c) it has provided all required information to Data Subjects including, where required, that Controller Personal Data may be passed to third parties for the purposes of the Agreement and has a lawful basis for such Processing. 

1. 3.2.1 Without limiting the foregoing, each Party will maintain a publicly accessible privacy policy on its website that complies with Applicable Data Protection Laws and that describes at a minimum its Controller Processing and the categories of Personal Data Processed, purposes of such Processing, and rights available to Data Subjects.
2. 3.2.2 Each Party will promptly notify the other if it believes any request or proposed Personal Data exchange between the Parties would violate Applicable Data Protection Law.
3. 3.2.3 Subject to this DPA, each Party, acting as a Controller, may process the Controller Personal Data in accordance with, and for the purposes in, the Agreement, and may permit the disclosure of the Controller Personal Data described in the Agreement or otherwise herein for the applicable Controller Services to which Customer subscribes for the purposes described in such Party’s privacy policy (the “Permitted Purpose”). Notwithstanding the foregoing, data obtained by a Party independent of Customer’s use of the Services that is the same, or similar to the Controller Personal Data described herein shall not be restricted by this DPA, any license agreement, or any terms or conditions for such Services. For the avoidance of doubt, any Party may use all Controller Personal Data collected on an aggregated or de-identified basis as set out in such parties’ privacy policy, provided that such use does not reveal Company, Customer, or Data Subjects directly or indirectly.
4. 3.2.4 The types of Controller Personal Data may include, but are not necessarily limited to, email, login credentials and username, device identifiers, and other online identifiers.
5. 3.2.5 Data Subjects whose information is contained in the Controller Personal Data may include, but are not necessarily limited to, end users of the Services and/or, to the extent applicable under Applicable Data Protection Law, Personal Data of employees, consultants, or other contacts of a Party. 

3.3 Security and Confidentiality. Each Party shall implement and maintain appropriate technical and organizational measures designed to protect the Controller Personal Data from unauthorized or unlawful access, loss, disclosure, alteration, or destruction. If a Party suffers a Personal Data breach, as defined by Applicable Data Protection Law, which is known or reasonably suspected to affect Controller Personal Data, such Party shall notify the other without undue delay (and in any event no later than 72 hours after confirmation) of a Personal Data Breach likely to affect Controller Personal Data, subject to any legal restrictions on disclosure. Where feasible, the notifying Party will share draft regulator and/or individual notices that reference the other Party for good-faith input before sending. The Parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data breach and to prevent recurrence. Nothing herein prohibits any Party from providing notification of the Personal Data breach to regulatory authorities as may be required by Applicable Data Protection Law prior to notifying the other Party so long as the notifying Party provides notification to the other Party without undue delay. Each Party shall ensure that all of its personnel who Process Controller Personal Data are obligated to keep the Controller Personal Data confidential. 

3.4 Controller Personal Data Transfers. Where the Parties exchange Controller Personal Data that requires transfer protections under Applicable Data Protection Law, the Parties will enter into applicable Transfer Agreements where necessary for compliant Personal Data transfers. Where the Parties exchange Personal Data that is subject to EU Data Protection Law, Swiss Data Protection Law, and/or UK Data Protection Law, the Parties hereby agree to enter into Module One of the SCCs incorporated in Schedule 1; unless one of the following applies: (a) the Party receiving Controller Personal Data is in an Adequate Country (or UK Adequate Country), including through self-certification to an applicable Data Privacy Framework if the recipient Party is in the United States, (b) another safeguard, such as binding corporate rules, applies; or (d) a derogation is appropriate. 

3.5 Data Subject Requests. Each Party will handle its own requests from Data Subjects exercising their rights. For objections or opt-outs relating to shared Personal Data, the Parties will reasonably cooperate to honor such requests. 

3.6 Compliance Cooperation. The Parties agree to reasonably cooperate and assist each other in relation to any regulatory consultation, inquiry, complaint, or investigation concerning Controller Personal Data shared between the Parties. This includes reasonable cooperation in implementing transparency measures to comply with the EU AI Act for Limited Risk AI Systems, if applicable. 

3.7 Data Retention. The Parties shall fulfill their obligations with regards to their respective data retention periods as stated in their respective privacy policies and set out in each Party’s internal deletion and retention schedules. Deletion from backup media will occur in the ordinary course of backup rotation and restoration testing, unless earlier deletion is required by law. 

4. CONTROLLER-PROCESSOR MODULE 

4.1 Application. The Controller-Processor terms in this Section 4 apply only to the dataset(s) or feature(s) for any product identified in Annex A as Processor Processing (including where Customer acts for a third-party Controller and appoints CoStar as Subprocessor). For all other Processing, Section 3 applies.

4.2 Role of the Parties 

1. 4.2.1 Processing in Accordance with Applicable Data Protection Law. For the dataset(s) or feature(s) designated Processor Processing in Annex A, Customer is the Controller (or acts on behalf of a Controller) and CoStar is the Processor. Each Party will comply with Applicable Data Protection Law for its role. Customer remains solely responsible for the accuracy, quality, and legality of Customer Personal Data and for having a lawful basis and required notices and permissions.
2. 4.2.2 Limited Risk AI Systems. If Company Processes Personal Data using Limited Risk AI Systems, as defined under the EU AI Act, Company shall ensure compliance with all applicable transparency obligations, including providing clear information to Data Subjects about the use of such AI Systems and conducting Algorithmic Impact Assessments to identify and mitigate any potential risks associated with these systems. 

4.3 Obligations of the Parties

1. 4.3.1 General Processing Conditions. CoStar will Process Customer Personal Data solely on Customer’s documented instructions, which consist of: (a) the Agreement and this DPA; (ii) the Annex A product/dataset designations; and (b) Customer’s configurations and written instructions made through the Services. CoStar will promptly notify Customer if it cannot comply with an instruction or if, in CoStar’s opinion, an instruction violates Applicable Data Protection Law. The Parties agree that the Agreement and DPA are deemed to be the sole instructions, unless the Parties agree otherwise in writing. CoStar will promptly notify Customer if, in CoStar’s opinion, Customer’s instructions would not comply with Applicable Data Protection Law. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under Applicable Data Protection Law, including providing any required notices and obtaining any required consents, and for the Processing instructions it gives to CoStar.
2. 4.3.2 Details of Processing. The subject matter, duration, nature and purpose of Processing, categories of Personal Data, and Data Subject types are set out in Annex A.
3. 4.3.3 Local Implementation Agreement. If and when necessary to accommodate laws, regulations, or local business requirements in a particular country, the Parties may enter into a Local Implementation Addendum covering requirements not already addressed in the Agreement or this DPA.
4. 4.3.4 U.S. Processor. Where CoStar acts as a Processor under Applicable U.S. State Privacy Laws, CoStar will not sell, not Share, and not use Customer Personal Data for any purpose other than providing the Services to the Customer, except as permitted by Applicable U.S. State Privacy Laws. CoStar certifies it understands and will comply with these restrictions.
5. 4.3.5 Subprocessing – General Authorization. Customer provides general authorization for CoStar to appoint Subprocessors following notice and objection procedures. CoStar will: (a) maintain an up-to-date Subprocessor list (available upon request or via a posted URL); (b) provide at least 10 business days’ prior notice of changes, permitting Customer to object to the appointment of any new Subprocessor; (c) impose written terms on Subprocessors that provide at least the level of protection required by this DPA; and (d) remain responsible for Subprocessors’ performance. In the event Customer reasonably objects to a new Subprocessor, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services that cannot be provided by Company without the use of the objected-to Subprocessor by providing Company with written notice of at least 30 calendar days’ prior notice, provided that all amounts due under the Agreement shall be duly paid to Company. 

4.4 Security and Confidentiality 

1. 4.4.1 Company Security. Company will implement and maintain appropriate technical and organizational measures, described in Schedule 3, designed to protect the Customer Personal Data from unauthorized or unlawful access, loss, disclosure, alteration, or destruction. A description of Company’s security measures is set out in Schedule 3.
2. 4.4.2 Personal Data Breach Notification and Resolution. Notification. Company will notify Customer without undue delay, and within relevant timeframes set out in Applicable Data Protection Law, after a confirmed Personal Data breach, as defined by Applicable Data Protection Law. If a confirmed Personal Data breach affects or is likely to affect Customer Personal Data, Company will notify Customer by email to the notice email address on the signature page below or, if no email is provided, by contacting Customer’s principal contact for the Services as specified in Customer’s account information. It is Customer’s sole responsibility to maintain accurate contact information on the Customer account at all times. Mitigation. Company will take commercially reasonable measures to remedy or mitigate the effects of any Personal Data breach and will keep Customer informed of material developments in connection with a Personal Data breach affecting or likely to affect Customer Personal Data. Company will provide reasonable cooperation to Customer so that Customer can fulfill any Personal Data breach reporting obligations Customer may have under (and in accordance with the timeframes required by) Applicable Data Protection Law. No Admission. Company’s obligation to report or respond to a Personal Data breach under this Section is not and will not be construed as an acknowledgment by Company of any fault or liability of Company with respect to any Personal Data breach.
3. 4.4.3 Confidentiality of Processing. Company will treat Customer Personal Data as Customer’s Confidential Information (as that term is defined in the Agreement). Company will protect the Customer Personal Data in accordance with the confidentiality obligations under the Agreement, and will ensure that all Company personnel who Process Customer Personal Data are obligated to keep the Customer Personal Data confidential. 

4.5 Customer Personal Data Transfers

1. 4.5.1 Transfer Agreements. Where CoStar receives Customer Personal Data that requires transfer protections under Applicable Data Protection Law, CoStar will not receive or onward transfer Customer Personal Data without entering into applicable Transfer Agreements where necessary for compliant Personal Data transfers. Customer is responsible for informing CoStar if other Transfer Agreements are required to Process Customer Personal Data.
2. 4.5.1 Personal Data Subject to EU, Swiss, and/or UK Data Protection Laws. Where CoStar receives Customer Personal Data that is subject to EU Data Protection Law, Swiss Data Protection Law, and/or UK Data Protection Law, the Parties hereby agree to enter into Module Two (or if Customer is a Processor, Module Three) of the SCCs incorporated in Schedule 1; unless one of the following applies: (a) CoStar recipient is in an Adequate Country (or UK Adequate Country), including through self-certification to an applicable Data Privacy Framework if the CoStar recipient is in the United States, (b) another safeguard, such as binding corporate rules, applies; or (c) a derogation is appropriate. Where CoStar onward transfers Customer Personal Data that is subject to EU Data Protection Law, Swiss Data Protection Law, and/or UK Data Protection Law, CoStar agrees to enter into Module Three of the SCCs with any recipient Subprocessor; unless one of the following applies: (a) recipient Subprocessor is in an Adequate Country (or UK Adequate Country), including through self-certification to an applicable Data Privacy Framework if the recipient Subprocessor is in the United States, (b) another safeguard, such as binding corporate rules, applies; or (c) a derogation is appropriate 

4.6 Data Subject Requests. Upon request, Company will provide reasonable and timely assistance to Customer to enable Customer to respond to: (a) any request from a Data Subject to exercise any valid rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure, and data portability, as applicable); and (b) any other correspondence, inquiry, or complaint received from a Data Subject, regulator, or other party in connection with the Processing of the Customer Personal Data. If any such request, correspondence, inquiry, or complaint is made directly to Company, Company will (unless prohibited by applicable law) promptly inform Customer providing full details of the same. Notwithstanding the foregoing, if Company receives a request directly, Company will not respond except to acknowledge receipt and direct the requester to Customer, unless required by law or unless related to Personal Data for which Company is a Controller.

4.7 Compliance Cooperation

1. 4.7.1 Data Protection Impact Assessment. Company will provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment obligations that Customer may be required to perform under Applicable Data Protection Law, taking into account the nature of Company’s Processing and the information available to Company.
2. 4.7.2 Audit. Upon Customer’s written request, at reasonable intervals (but not more than once per year), and subject to the confidentiality obligations set forth in the Agreement or an appropriate NDA, Company will make available to Customer a sufficiently detailed summary of its most recent third-party audits, certifications, or other similar documentation, which demonstrates Company’s compliance with its obligations under this DPA. Company will at reasonable intervals complete Customer’s targeted questionnaires regarding compliance with Company’s obligations under this DPA that are not sufficiently explained in Company’s audit summaries. To the extent permitted by Applicable Data Protection Law, the Parties agree that the audit rights provided for in Applicable Data Protection Law or the SCCs, will be satisfied by Company’s provision of such summaries or reports and responses to Customer’s targeted questionnaires. To the extent Applicable Data Protection Law requires a different audit or assessment of Company as a Processor, the Parties agree to negotiate the scope, process, and timing of any such audits upon Customer’s written request, which will be provided to Company at least 60 calendar days prior to any such planned audit or assessment. Any such audits or assessments will be at Customer’s sole expense.
3. 4.7.3 Data Retention. Within 30 calendar days after a written request by Customer or the termination or expiration of the Agreement, Company will: (a) if requested by Customer, provide Customer with a copy of any Customer Personal Data in Company’s possession that Customer does not already have; and (b) securely destroy all Customer Personal Data in Company’s possession in a manner that makes such Customer Personal Data non-readable and non-retrievable, which may include aggregation or deidentification. If Customer requests return, CoStar will provide Customer Personal Data in a commonly used, machine-readable format. Notwithstanding the foregoing, Company may retain copies of Customer Personal Data: (i) to the extent Company has a separate legal right or obligation to retain some, or all, of the Customer Personal Data; and (ii) in backup systems until the backups have been overwritten or expunged in accordance with Company’s backup policy. Until the data is deleted or returned, Company shall continue to ensure compliance with its security and privacy obligations in the Agreement and this DPA. 

5. ALLOCATION OF COSTS. Each Party will perform its obligations under this DPA at its own cost, except as otherwise specified herein. 

6. LIABILITY. To the fullest extent permitted by law, the Parties’ liability under or in connection with this DPA is subject to the exclusions and limitations in the Agreement. 

7. MISCELLANEOUS 

7.1 Construction; Interpretation. This DPA is part of the Agreement and is not a standalone contract. It is governed by the Agreement’s terms (including limitations of liability and dispute resolution) except where this DPA states otherwise. This DPA and the Agreement form the complete agreement as to data protection matters and supersede prior communications on that subject. Headings are for convenience only. 

7.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the Parties. To the extent permitted by applicable law, the Parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect. 

7.3 Enforcement of Rights. No waiver of any rights under this DPA, will be effective unless in writing signed by the Parties to this DPA. The failure by a Party to enforce any rights under this DPA will not be construed as a waiver of any rights of such Party. 

7.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a Party in accordance with its terms, this DPA is automatically assigned by the same Party to the same assignee. 

7.5 Counterparts. This DPA may be executed in counterparts and by electronic signature. Where Customer accepts the Terms of Use online, such acceptance constitutes execution of this DPA by the Parties. 

7.6 Modification. Company may update the terms of this Addendum from time to time, including, but not limited to: (a) as required to comply with Applicable Data Protection Law, applicable regulation, court order, or regulatory guidance; or (b) to add terms to comply with new or amended data protection laws or regulations. If such update will have a material adverse impact on Customer, as reasonably determined by Company, then Company will use reasonable efforts to inform Customer at least 30 calendar days (or such shorter period as may be required to comply with Applicable Data Protection Law) before the change will take effect. If Customer objects to any such change, Customer may terminate this DPA by giving written notice to Company within 30 calendar days of being informed by Company of the change. 

7.7 Order of Precedence; Third-Party Rights. In case of conflict, the following order applies: (a) the SCCs or applicable Transfer Agreement for the relevant transfers; (b) this DPA; (c) the Agreement; and (d) the Terms of Use. This DPA does not create third-party beneficiary rights, except to the extent required by Applicable Data Protection Law or a binding agreement that takes precedence. 

8. GOVERNING LAW. To the fullest extent permitted by law, this DPA is governed by the law selected in the Agreement, and disputes are subject to the Agreement’s forum. If Applicable Data Protection Law or an applicable Transfer Agreement requires otherwise for a specific Personal Data transfer, the alternate governing law applies solely for Personal Data subject to that law or agreement. 

9. TERMINATION. This DPA remains in effect for so long as (a) the Agreement remains in effect, or (b) CoStar retains Customer Personal Data in its possession or control. Upon termination of the Agreement or Customer’s written request, CoStar will return or delete Customer Personal Data in accordance with Section 4.7.3. The following Sections survive termination: Sections 1 (to the extent definitions are used), 3, 4.4, 4.7.3, 5–9, and any other provisions that by their nature should survive. 

10. ELECTRONIC ACCEPTANCE. By accepting the Terms of Use or using the Services, you agree to this DPA. Where required for cross-border transfers, the SCCs are incorporated by reference and deemed executed. 

View our Standard Contractual Clauses here.

SCHEDULE A

Self-Executing Brand Matrix

Self-executing application. This Annex A applies automatically when Customer purchases or enables any brand or service listed in the table below. For each brand, CoStar typically acts as an independent Controller, and the Processor terms in Section 4 of the DPA apply only to the limited Processor scope identified for that brand in this Annex A. No other order-form selection is required. All other Processing is automatically governed by Section 3 of the DPA.