Data Processing Addendum

Last updated on: 12 July 2020

This Data Processing Addendum (the Addendum) forms part of the Privacy Policy (and any ancillary or related documentation), as updated or amended from time to time (the Agreement), between you, the Customer (as defined below) and All capitalised terms not defined in this Addendum have the meaning set out in the Agreement.

This addendum only applies if and to the extent processes personal data on behalf of a Customer that qualifies as a controller with respect to that personal data under Applicable Data Protection Law (as defined below). If the Customer had entered into earlier data processing terms with, those terms are replaced by this Addendum.

  1. Definitions: In this Addendum, the following terms have the following meanings:
    1. controller, processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data Protection Law
    2. Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR) and any applicable national laws made under the GDPR
    3. Customer has the same meaning as ‘you’ in the Terms and Conditions
  2. Relationship of the parties: The Customer (the controller) appoints as a processor to process the personal data described in Annex A (the Data) only on the controller’s documented instructions (and as per the terms set out in this Addendum) for the purposes described in the Agreement or as otherwise agreed in writing by the parties (the Permitted Purpose). Each party must comply with the obligations that apply to it under Applicable Data Protection Law.
  3. Prohibited data: Unless explicitly requested by to do so, the Customer will not disclose (and will not permit any data subject to disclose) any special categories of personal data to for processing.
  4. International transfers: will not transfer the Data outside of the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., Australia), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
  5. Confidentiality of processing: will ensure that any person it authorises to process the Data (an Authorised Person) will protect the Data in accordance with’s confidentiality obligations under the Agreement.
  6. Security: will implement technical and organisational measures, as set out in Annex B, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a Security Incident).
  7. Subcontracting: The Customer consents to engaging third-party subprocessors to process the Data for the Permitted Purpose provided that:
    1. maintains an up-to-date list of its subprocessors, which is available on its website at the subprocessors page, which it will update with details of any change in subprocessors at least 30 days prior to the change;
    2. imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and
    3. remains liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor. The Customer may object to’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, will either not appoint or replace the subprocessor or, if determines at its sole discretion that this is not reasonably possible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination).
  8. Cooperation and data subjects’ rights: will provide reasonable and timely assistance to the Customer (at the Customer’s expense) to enable the Customer to respond to:
    1. any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and
    2. any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to, will promptly inform the Customer, providing full details.
  9. Data Protection Impact Assessment: If believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it will inform the Customer and provide reasonable cooperation to the Customer in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
  10. Security incidents: If it becomes aware of a confirmed Security Incident, will inform the Customer without undue delay and will provide reasonable information and cooperation to the Customer so that they can fulfil any data breach reporting obligations they may have under (and in accordance with the timescales required by) Applicable Data Protection Law. will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep the Customer informed of all material developments in connection with the Security Incident.
  11. Deletion or return of Data: will retain the Data for a period of 30 years after a subscription is terminated in case the Customer later needs access to it. On expiry of this period or on the Customer’s earlier request, will delete or return the Data in a manner and form decided by, acting reasonably. The data may be also deleted at our sole discretion if it pertains to discontinued features of the platform. This requirement will not apply to the extent that is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data shall securely isolate and protect from any further processing.

Annex A – Data Processing Schedule

1. Subject Matter and Duration of Processing of Personal Data

The subject matter of this Annex concerns the provision by of data processing services connected with providing services to the Customer.

The duration of processing personal data shall be for as long as we have a business relationship with the Customer, and at the end of that relationship, we will act in accordance with clause 11 regarding deletion or return of such personal data.

2. Nature and Purpose of Processing Personal Data

The nature and purpose of processing personal data is to enable the functionality of the platform as set out in the Terms and Conditions and related documentation. This involves inter alia:

  1. Storage
  2. Access for reporting (online dashboards and Excel, PowerPoint, .csv, PDF, and other exports)

3. Categories of Data Subjects

The categories of data subjects include:

  1. Employees and contractors of Customer (”Users”)
  2. Survey respondents (”Respondents”)

A user can be a respondent if they preview or answer a survey.

4. Types of Personal Data Processed

The types of data processed differs between users and respondents.

Type of data For users For respondents
Names Yes Only if asked in a survey or uploaded by user
Address Only if provided Only if asked in a survey or uploaded by user
Contact details Yes Only if asked in a survey or uploaded by user
Identification details (eg, tax registration numbers) Only if provided Only if asked in a survey or uploaded by user
Other personal data types for use on the platform Only if provided Only if asked in a survey or uploaded by user
Personal identifier (ID) Yes Yes
Responses to surveys* No Yes
Access logs to platform (including hashed passwords) Yes No
The time of opening the survey Yes Yes (unless the Anonymise Responses function is used)
IP address and associated location Only if provided Yes (unless the Anonymise Responses function is used)
Browser location No Yes, if respondent permits (unless the Anonymise Responses function is used)
Browser cookies and identification strings Yes Yes
Type of device used Yes Yes
Information from third-party sign-up systems, such as LinkedIn Yes, if user chooses to log in through LinkedIn No
Credit card information Stored by Stripe (if provided) No

* Responses to surveys may include sensitive personal data (i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation). Such data is only collected if it is asked of respondents in the survey or if it is uploaded by the employees to the report.

Annex B – Security Measures

We’re committed to the security of your data and provide multiple layers of protection for the information you trust to

You control access

As a customer you have the flexibility to invite unlimited users to collaborate on your experiments. The owner of the experiment has control over who has access and what they are able to do.

User authentication

We provide standard access to the software through a login and password. In addition we offer the option of using two-step authentication. This provides a second level of security for your account. It means you’re also asked to enter a unique code generated by a separate authenticator app on your smartphone. We recommend you use two-step authentication as it reduces the risk of your account being accessed if your password is compromised.

Data encryption

We encrypt all data that goes between you and using industry-standard TLS (Transport Layer Security), protecting your data. Your data is also encrypted at rest when it is stored on our servers, and encrypted when we transfer it between data centres for backup and replication.

Secure data centres’s servers are located within enterprise-grade hosting facilities that employ robust physical security controls to prevent physical access to the servers they house. These controls include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits. maintains multiple geographically separated data replicas and hosting environments to minimise the risk of data loss or outages.

We store information on secure servers located in the United States. On custom projects and during execution of support activities, the data may be transferred to Australia and other countries to our employees and direct contractors.

Security monitoring continuously monitors security systems, event logs, notifications and alerts from all systems to identify and manage threats.