Last updated on: 22 July 2022
This Data Processing Addendum (the Addendum) forms part of the Conjointly Privacy Policy (and any ancillary or related documentation), as updated or amended from time to time (the Agreement), between you, the Customer (as defined below) and Conjointly. All capitalised terms not defined in this Addendum have the meaning set out in the Agreement.
This addendum only applies if and to the extent Conjointly processes personal data on behalf of a Customer that qualifies as a controller with respect to that personal data under Applicable Data Protection Law (as defined below). If the Customer had entered into earlier data processing terms with Conjointly, those terms are replaced by this Addendum.
- Definitions: In this Addendum, the following terms have the following meanings:
- controller, processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data Protection Law
- Applicable Data Protection Law means the EU General Data Protection Regulation (
Regulation 2016/679) (the GDPR) and any applicable national laws made under the GDPR - Customer has the same meaning as ‘you’ in the Conjointly Terms and Conditions
- Relationship of the parties: The Customer (the controller) appoints Conjointly as a processor to process the personal data described in Annex A (the Data) only on the controller’s documented instructions (and as per the terms set out in this Addendum) for the purposes described in the Agreement or as otherwise agreed in writing by the parties (the Permitted Purpose). Each party must comply with the obligations that apply to it under Applicable Data Protection Law.
- Prohibited data: Unless explicitly requested by Conjointly to do so, the Customer will not disclose (and will not permit any data subject to disclose) any special categories of personal data to Conjointly for processing.
- International transfers: Conjointly will not transfer the Data outside of the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., Australia), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
- Confidentiality of processing: Conjointly will ensure that any person it authorises to process the Data (an Authorised Person) will protect the Data in accordance with Conjointly’s confidentiality obligations under the Agreement.
- Security: Conjointly will implement technical and organisational measures, as set out in Annex B, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a Security Incident).
- Subcontracting: The Customer consents to Conjointly engaging third-party subprocessors to process the Data for the Permitted Purpose provided that:
- Conjointly maintains an up-to-date list of its subprocessors, which is available on its website at the Conjointly subprocessors page, which it will update with details of any change in subprocessors at least 30 days prior to the change;
- Conjointly imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and
- Conjointly remains liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor. The Customer may object to Conjointly’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Conjointly will either not appoint or replace the subprocessor or, if Conjointly determines at its sole discretion that this is not reasonably possible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination).
- Cooperation and data subjects’ rights: Conjointly will provide reasonable and timely assistance to the Customer (at the Customer’s expense) to enable the Customer to respond to:
- any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and
- any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to Conjointly, Conjointly will promptly inform the Customer, providing full details.
- Data Protection Impact Assessment: If Conjointly believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it will inform the Customer and provide reasonable cooperation to the Customer in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
- Security incidents: If it becomes aware of a confirmed Security Incident, Conjointly will inform the Customer without undue delay and will provide reasonable information and cooperation to the Customer so that they can fulfil any data breach reporting obligations they may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Conjointly will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep the Customer informed of all material developments in connection with the Security Incident.
- Deletion or return of Data: Conjointly will retain the Data for a period of 30 years after a subscription is terminated in case the Customer later needs access to it. On expiry of this period or on the Customer’s earlier request, Conjointly will delete or return the Data in a manner and form decided by Conjointly, acting reasonably. The data may be also deleted at our sole discretion if it pertains to discontinued features of the platform. This requirement will not apply to the extent that Conjointly is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Conjointly shall securely isolate and protect from any further processing.
Annex A – Data Processing Schedule
1. Subject Matter and Duration of Processing of Personal Data
The subject matter of this Annex concerns the provision by Conjointly of data processing services connected with providing services to the Customer.
The duration of processing personal data shall be for as long as we have a business relationship with the Customer, and at the end of that relationship, we will act in accordance with clause 11 regarding deletion or return of such personal data.
2. Nature and Purpose of Processing Personal Data
The nature and purpose of processing personal data is to enable the functionality of the Conjointly platform as set out in the Conjointly Terms and Conditions and related documentation. This involves inter alia:
- Storage
- Access for reporting (online dashboards and Excel, PowerPoint, .csv, PDF, and other exports)
3. Categories of Data Subjects
The categories of data subjects include:
- Employees and contractors of Customer ("Users")
- Survey respondents ("Respondents")
A user can be a respondent if they preview or answer a survey.
4. Types of Personal Data Processed
The types of data processed differs between users and respondents.
| Type of data | For users | For respondents |
|---|---|---|
| Names | Yes | Only if asked in a survey or uploaded by user |
| Address | Only if provided | Only if asked in a survey or uploaded by user |
| Contact details | Yes | Only if asked in a survey or uploaded by user |
| Identification details (eg, tax registration numbers) | Only if provided | Only if asked in a survey or uploaded by user |
| Other personal data types for use on the Conjointly platform | Only if provided | Only if asked in a survey or uploaded by user |
| Personal identifier (ID) | Yes | Yes |
| Responses to surveys* | No | Yes |
| Access logs to Conjointly platform (including hashed passwords) | Yes | No |
| The time of opening the survey | Yes | Yes (unless the Anonymise Responses function is used) |
| IP address and associated location | Only if provided | Yes (unless the Anonymise Responses function is used) |
| Browser location | No | Yes, if respondent permits (unless the Anonymise Responses function is used) |
| Browser cookies and identification strings | Yes | Yes |
| Type of device used | Yes | Yes |
| Information from third-party sign-up systems, such as LinkedIn | Yes, if user chooses to log in through LinkedIn | No |
| Credit card information | Stored by Stripe (if provided) | No |
* Responses to surveys may include sensitive personal data (i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation). Such data is only collected if it is asked of respondents in the survey or if it is uploaded by the employees to the report.
Annex B – Security Measures
We’re committed to the security of your data and provide multiple layers of protection for the information you trust to Conjointly.
You control access
As a Conjointly customer you have the flexibility to invite unlimited users to collaborate on your experiments. The owner of the experiment has control over who has access and what they are able to do.
User authentication
We provide standard access to the Conjointly software through a login and password. In addition we offer the option of using two-step authentication. This provides a second level of security for your Conjointly account. It means you’re also asked to enter a unique code generated by a separate authenticator app on your smartphone. We recommend you use two-step authentication as it reduces the risk of your Conjointly account being accessed if your password is compromised.
Data encryption
We encrypt all data that goes between you and Conjointly using industry-standard TLS (Transport Layer Security), protecting your data. Your data is also encrypted at rest when it is stored on our servers, and encrypted when we transfer it between data centres for backup and replication.
Secure data centres
Conjointly’s servers are located within enterprise-grade hosting facilities that employ robust physical security controls to prevent physical access to the servers they house. These controls include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits. Conjointly maintains multiple geographically separated data replicas and hosting environments to minimise the risk of data loss or outages.
We store information on secure servers located in the United States. On custom projects and during execution of support activities, the data may be transferred to Australia and other countries to our employees and direct contractors.
Security monitoring
Conjointly continuously monitors security systems, event logs, notifications and alerts from all systems to identify and manage threats.