Data Processing Agreement
Last updated on 09-04-2023
This Data Processing Agreement (”DPA”), along with our Terms of Service, Privacy Policy and Acceptable Use Policy, constitute a legally binding agreement (“Agreement”) made between you, whether personally or on behalf of an entity (”Company”, ”you”), and Gradian Labs LLP (”Gradian” ,”We”, “Our”, “Us”) for processing of personal data of data subjects through the use of our services (”Services”). Gradian and You may each be referred to as a “Party” or collectively as the “Parties.”
In the event of a conflict between this DPA and the provisions of any other agreement between the Parties existing at the time when this DPA are agreed or entered into thereafter, this DPA shall prevail, except where explicitly agreed otherwise in text form.
1. Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this
DPA shall have the following meaning:
- Applicable Data Protection Laws means, to the extent applicable:
- the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”), the UK Data Protection Act 2018 (“UK GDPR”), as well as any other laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom and
- all privacy and data protection laws and regulations, worldwide (whether, national, state, provincial, local or otherwise), applicable to the Processing of Personal Data under the Agreement, as may be amended, extended, re-enacted, or interpreted from time-to-time; and including without limitation, any applicable jurisdiction-specific terms specified in Appendix 3.
- “Company Personal Data” or “Personal Data” means “any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws.
- Data Subject means the identified or identifiable person to whom Personal Data relates;
- Process, Processing or Processed means “any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws.
- “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of Controller in connection with the Agreement.
- Purpose means the services and the associated Processing of Personal Data as defined in Appendix 1 to this Agreement.
- Terms of Service means the legal agreement between the Controller as the user and the Processor, that governs the Controller’s limited, non-exclusive and terminable right to the use of the Gradian Site and Platform as defined in the Terms of Service.
- Standard Contractual Clauses or SCCs means the “Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” as adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914).
- UK Addendum to the SCCs means the United Kingdom Addendum B.1.0 to the Standard Contractual Clauses issued by the United Kingdom Commissioner’s Office.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
2. Role of the Parties
- Gradian is a Data Processor and You are a Data Controller (the “Controller”) (both as defined in the GDPR).
- The Parties have agreed that the Controller will act as the sole Controller of the Personal Data and that the Processor renounces to any rights it may have to act as a data controller of the Personal Data held by the Controller.
- The Parties have agreed that it may be necessary for the Processor to Process certain Personal Data on behalf of the Controller; in light of this Processing, the Parties have agreed to enter into this DPA to address the compliance obligations imposed upon the Controller pursuant to the Applicable Data Protection Laws.
- The Parties agree that the provision of the services under Gradian’s Terms of Service may qualify as commissioned data Processing as per sec. 28 of the General Data Protection Regulation 2016/679.
- The Processor is appointed by the Controller to Process such Personal Data for and on behalf of the Controller as is necessary to provide the Processing services, and as may subsequently be agreed to by the Parties in writing. Any such subsequent agreement shall be subject to the provisions of this DPA.
3. Controller’s Processing of Personal Data
- The Controller shall Process Personal Data in accordance with the requirements of the Applicable Data Protection Laws. For the avoidance of doubt, the Controller’s instructions for the Processing of Personal Data shall comply with the Applicable Data Protection Laws and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable Data Protection Laws. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires the Personal Data.
- The Controller shall establish and have any and all required legal basis in order to collect, Process and transfer to Gradian the Personal Data, and to authorize the Processing by Gradian, and for Gradian’s Processing activities on Your behalf.
4. Gradian’s Processing of Personal Data
- Controller instructs Processor to process Company Personal Data to provide the
Services and related technical support.
- The Processor shall Process Personal Data for the Purpose as described in the Terms of Service, as entered into between the Parties, on behalf of and under the direction of the Controller and as summarized in Appendix 1.
5. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
6. Security
- Processor shall maintain appropriate technical and organizational measures for the security and protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data. Processor will not materially decrease the overall security of the Services during the terms of the Services Agreement and this DPA.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Processor and its affiliates will implement the measures described in Appendix 2.
7. Audit Rights
Upon reasonable prior written notice of no less than thirty (30) days, and no more than once during any consecutive twelve (12)-month period, the Controller has the right, after consultation with the Processor, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. These rights of the Controller shall not extend to facilities which are operated by sub-processors, sub-contractors or any Third Parties which the Processor may use to attain its Purpose and provide its Platform. The Processor shall ensure that the Processing activities carried out by any sub-processors, sub-contractors or any Third Parties which the Processor may use to attain its Purpose and provide its Platform meet the requirements laid down in this DPA and in Applicable Data Protection Laws.
8. Security Breach
- Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- Notification(s) of Security Breaches, if any , will be delivered to one or more of Company’s business, technical or administrative contacts by any means Gradian selects, including via email.
- Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Deletion and Return of Personal Data
- Subject to this section, Processor shall promptly and in any event within 30
business days of the date of cessation of any Services involving the Processing
of Company Personal Data (the “Cessation Date”),delete, anonymize or return to the Controller all copies of those Company Personal Data.
- Processor shall provide written certification to Controller that it has fully
complied with this section within 30 business days of the Cessation Date.
10. SubProcessing
- Controller provides a general authorization for Gradian to engage onward sub-processors that is conditioned on the following requirements:
- Gradian will restrict the onward sub-processor’s access to Company Personal Data only to what is strictly necessary to provide the Services, and Gradian will prohibit the sub-processor from processing the personal data for any other purpose.
- Gradian agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Company Personal Data to the standard required by Applicable Data Protection Law; and
- Gradian will be liable to Company for the acts and omissions of its sub-processors to the same extent that Gradian would itself be liable under this DPA had it conducted such acts or omissions.
- Controller consents to Gradian engaging additional third party sub-processors to process Personal Data for the Permitted Purposes provided that Gradian maintains an up-to-date list of its sub-processors at https://feedbackspark.com/legal/subprocessor/. Gradian will provide details of any change in sub-processors at least ten (10) days prior to any such change, and Controller may object to any such change, as follows:
- In the event of any change in sub-processors, Gradian will notify Controller, and controller may object to such an engagement in writing within ten (10) days of Customer’s receipt of the aforementioned notice.
- If Controller reasonably objects to an engagement of a sub-processor in accordance with this Section, Gradian will provide Controller with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Gradian, in its sole discretion, cannot provide any such alternative(s), or if Controller does not agree to any such alternative(s), if provided, Gradian may terminate this Agreement. Termination will not relieve Customer of any fees owed to Gradian under the Agreement.
- If Customer does not object to the engagement of a sub-processor within ten (10) days of notice by Gradian, such sub-processor will be deemed authorized by Controller for the purposes of this Agreement.
11. Data Subject Rights
- Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
- Processor shall:
- promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
12. Data Transfers
The Personal Data will be physically stored exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Gradian may require to Process Personal Data on a global basis where access needs to be provided to authorized personnel of Gradian, its Affiliate or authorized sub-processor as necessary for the performance of the Platform, including to countries outside the European Economic Area (EEA) and/or the United Kingdom (“Third Countries”). Customer hereby approves the transfer of Personal Data to the locations stated in the sub-processor list and acknowledges that the basis of such transfer between jurisdictions is acceptable. Any such transfer is subject to compliance with the technical and organisational measures as set out in this Agreement.
13. General Terms
- Confidentiality. Each Party must keep any information it receives about the
other Party and its business in connection with this Agreement (“Confidential
Information”) confidential and must not use or disclose that Confidential
Information without the prior written consent of the other Party except to the
extent that: 1. disclosure is required by law, 2. the relevant information is already in the public domain.
- Notices. All notices and communications given under this Agreement must be in
writing and will be sent by email. Controller shall be notified by email sent to
the address related to its use of the Service under the Terms of Service.
Processor shall be notified by email sent to the address: legal@feedbackspark.com
Appendix 1: Details of Processing
Purpose:
- Gradian is digital survey platform that allows it’s user to gather feedback from their visitors and customers. The sole purpose of the feedback collection is to improve the functionality of their website and/or apps and enhancing the overall user and/or customer experience.
- Gradian will process personal data as necessary to provide the Services under the Agreement, and as further instructed by Company in its use of the Services. Gradian does not sell Company’s personal data or Company end users’ personal data and does not share such personal data with third parties for compensation or for those third parties’ own business interests.
Type of Data:
- Depending on how the Controller chooses to use Gradian, the subject matter of Processing of Personal Data may cover different types of Personal Data and may include:
- FeedbackSpark User Id
- IP address
- Device Screen width and height.
- Device type, operation system and browser type.
- Timezone
- Browser preferred Language
- Geographic location (country only)
- Referring URL and domain.
- User attributes that Controller choose to share with Gradian.
- Any personal data provided in the survey responses.
- Date and time of specific events occurring on Controller website and/or apps.
For more information on what data is collected and the security measure taken to protect this data refer to the Gradian Terms of Service and Privacy Policy.
Appendix 2 - Technical and Organizational Measures
Technical and Organizational measures shall include, but are not limited to:
- Physical and Logical access control. You can refer details at logical separation at AWS our hosting provider.
- Encryption at rest and in transit consistent with industry standard practices.
- Ensuring strong password consistent with industry standard technologies.
For more detailed information on the latest state-of-the-art measures adopted by our hosting provider, please refer to the following link :https://docs.aws.amazon.com/security/?secd_intro2
Appendix 3 - Jurisdiction specific terms
California
- The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (“CCPA”).
- The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Administrative Information and Customer Application Data.
- The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 8 (Data Subject Rights) of this Agreement, apply to Consumer rights. In regards to data subject requests, Gradian can only verify a request from Company and not from Customer’s end user or any third party.
- The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.
- The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.
- Gradian will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Gradian agrees not to (a) sell (as defined by the CCPA) Customer’s personal data or Customer end users’ personal data; (b) retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement. Gradian understands its obligations under the Applicable Data Protection Law and will comply with them.
- Gradian certifies that its sub-processors, as described in Section 7 (Sub-processors) of this Addendum, are Service Providers under Applicable Data Protection Law, with whom Gradian has entered into a written contract that includes terms substantially similar to this Addendum. Gradian conducts appropriate due diligence on its sub-processors.
- Gradian will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes.
European Economic Area (EEA)
- The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).
- When Gradian engages a sub-processor it will:
- require any appointed sub-processor to protect the Company Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
- require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
- Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
United Kingdom (UK)
- References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
- When Gradian engages a sub-processor it will:
- require any appointed sub-processor to protect the Company Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
- require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
- Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.