Skip to main content
Close PromoBar
REGISTER NOW REGISTER NOW UserTesting’s annual customer conference goes virtual for 2020, join us for HiWorld!   REGISTER NOW

USERTESTING
DATA PROCESSING ADDENDUM

Updated July 27, 2020

This Data Processing Addendum (“DPA”) supplements and is incorporated into the terms of service (“Agreement”) between User Testing, Inc. (“UserTesting”) and you the Customer (“Customer”) for the purchase of services (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as "Services"). If Customer has already entered into an existing agreement with governing the processing of data, then any inconsistencies between this DPA and the existing agreement shall be interpreted in favor of this DPA as to Personal Data subject to the GDPR and/or the CCPA, which shall take precedence.

  1. INTRODUCTION

    In the course of providing the Services to Customer pursuant to the Agreement, UserTesting may Process Customer Data (described below) on behalf of Customer. The Parties agree to comply with the provisions of this DPA with respect to any such Customer Data, to the extent the GDPR and/or the CCPA (each defined hereinafter) applies.

    By signing the DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates if, and to the extent, UserTesting Processes Customer Data for which such Authorized Affiliates qualify as the Controller. Solely for the purposes of this DPA, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement or the Data Protection Laws and Regulations.

  2. DEFINITIONS

    “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

    Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and UserTesting, but has not signed its own order form with UserTesting and is not a "Customer" as defined under the Agreement.

    Business” shall have the meaning in the CCPA.

    CCPA” means the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. and all implementing regulations thereof.

    Consumer” means a natural person who is a California resident, as defined in CCPA.

    Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

    Customer Data” means the Personal Data set out in Annex 1 (Details of the Processing) to this DPA.

    “Data Protection Laws and Regulations”  means (i) the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time with respect to any Personal Data regarding any individual in the European Economic Area and (ii) the CCPA, together with all applicable implementing regulations with respect to any Personal Data regarding any Consumer;

    “Data Subject” means the identified or identifiable person to whom Personal Data relates.

    GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

    “Personal Data” means any information relating to an identified or identifiable Data Subject. With respect to Personal Data pertaining to any Consumer, Personal Data means Personal Information as defined under the CCPA and includes, but is not limited to, the data elements listed in section 140(o)(1)(A)-(K) of CCPA, if any such data element identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular Consumer or household. This definition shall automatically adjust according to any subsequent amendments introduced by law.

    Customer Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise Processed.

    “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    “Processor” means the entity which Processes Personal Data on behalf of the Controller.

    “Sub-Processor” means any third party authorized under this DPA to Process Customer Data for carrying out specific Processing activities on behalf of the Controller.

  3. PROCESSING OF PERSONAL DATA

    3.1. Roles of the Parties. The parties acknowledge and agree that (i) Customer is the Controller and UserTesting is the Processor with respect to Customer Data of or regarding Data Subjects in the European Economic Area and (ii) Customer is the Business and UserTesting is the Service Provider with respect to Customer Data of or regarding Consumers.

    3.2. Customer’s Processing of Customer Data. Customer shall, in its use of the Services, Process Customer Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Data shall comply with Data Protection Laws and Regulations. Customer shall ensure that Customer has provided or shall provide any necessary notices to Data Subjects and/or Consumers, and has obtained or shall obtain all consents and rights necessary for UserTesting to Process Customer Data in accordance with this DPA.

    3.3. UserTesting’s Processing of Customer Data regarding individuals located in the European Economic Area. . The terms of this Section 3.3 apply to Customer Data that is subject to the GDPR. UserTesting shall only Process Customer Data to the extent necessary to enable UserTesting to provide the Services in accordance with the Agreement and applicable order form(s). If UserTesting believes that a Customer’s instruction violates any of the Data Protection Laws and Regulations, UserTesting will notify Customer and UserTesting shall not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer issues new instructions in regard to such Processing.

    3.4. UserTesting’s Processing of Customer Data regarding Consumers. The terms of this Section 3.4 apply to Customer Data that is subject to the CCPA.

    3.4.1. UserTesting agrees as follows:

    3.4.1.1. UserTesting is a Service Provider with respect to Customer Data.

    3.4.1.2. UserTesting shall not (1) Sell Customer Data, or (2) retain, use or disclose Customer Data (a) for any purpose other than for the specific purpose of performing the Services, or (b) outside of the direct business relationship between Customer and UserTesting. UserTesting shall not aggregate any Customer Data for its own purposes or combine Customer Data with other information.

    3.4.1.3. Notwithstanding Section 3.4.1.2, UserTesting may (1) combine Customer Data from other companies or Customers only to the extent necessary for security or to protect against fraudulent or illegal activity, and (2) use Aggregate Consumer Information or Deidentified Information to improve the Services provided UserTesting complies with the provisions CCPA regarding Deidentification.

    3.4.2. The Parties acknowledge and agree as follows:

    3.4.2.1. The Customer Data that UserTesting collects on behalf of Customer or that Customer discloses to UserTesting is provided to UserTesting for a Business Purpose, and Customer does not receive consideration of any kind for the Customer Data in connection with the Agreement, other than consideration for the Services to be provided.

    3.4.2.2. UserTesting certifies that it understands and shall comply with the requirements and restrictions set forth in this Section 3.4

    3.5. Details of the Processing. The subject-matter of Processing of Customer Data by UserTesting is the performance of the Services pursuant to the Agreement and applicable order form(s). The duration of the Processing, the nature and purpose of the Processing, the types of Customer Data Processed and the categories of Data Subjects are specified in Annex 1 (Details of the Processing) to this DPA.

  4. RIGHTS OF DATA SUBJECTS

    4.1. Data Subject or Consumer Requests. UserTesting shall, to the extent legally permitted, promptly notify Customer if it receives a request from Data Subjects and/or Consumers to exercise their rights under the Data Protection Laws and Regulations with respect to Customer Data, including, as applicable, the right of access, information about categories of sources from which the Customer Data is collected, information about categories of Customer Data collected, right to rectification, restriction of Processing, erasure or deletion, data portability, object to the Processing, or the right not to be subject to an automated individual decision making (each, a “Data Subject or Consumer Request”). UserTesting shall not respond to a Data Subject or Consumer Request without Customer’s prior written consent and instructions provided that UserTesting may provide a confirmation of receipt. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject or Consumer Request, UserTesting shall upon Customer’s request provide commercially reasonable assistance to facilitate such Data Subject or Consumer Request to the extent UserTesting is legally permitted to do so and provided that such Data Subject or Consumer Request is exercised in accordance with Data Protection Laws and Regulations. Customer shall be solely responsible for verifying the identity of Data Subject or Consumer as required by Data Protection Laws, and to the extent legally permitted, Customer shall be responsible for any costs arising from UserTesting’s provision of such assistance. Upon Customer's request, UserTesting shall promptly delete a particular Data Subject’s or Consumer's Customer Data subject to the GDPR or the CCPA from UserTesting's records. In the event UserTesting is unable to delete the Customer Data for reasons permitted under the GDPR or the CCPA, UserTesting shall (i) promptly inform Customer of the reason(s) for its refusal of the deletion request, (ii) ensure no further retention, use or disclosure of such Customer Data except as may be necessitated by the reason(s) for UserTesting's refusal of the deletion request and as disclosed to Customer, (iii) ensure the ongoing privacy, confidentiality and security of such Customer Data, and (iv) delete such Customer Data promptly after the reason(s) for UserTesting's refusal has expired.

  5. CONFIDENTIALITY

    5.1. Confidentiality. UserTesting shall ensure that its personnel engaged in the Processing of Customer Data are informed of the confidential nature of the Customer Data and have executed written confidentiality agreements.

  6. SUB-PROCESSORS

    6.1. Appointment of Sub-Processors. Customer hereby grants UserTesting general written authorization to engage Sub-Processors in connection with the provision of the Services. UserTesting shall enter into a written agreement with each Sub-Processor containing data protection obligations that are at least as protective as those set out in this DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-Processor. Where any of its Sub-Processors fails to fulfil its data protection obligations, UserTesting shall be liable to Customer for the performance of its Sub-Processors’ obligations.

    6.2. List of Current Sub-Processors and Notification of New Sub-Processors. On request, UserTesting shall make available to Customer the then-current list of Sub-Processors, including the identities of the Sub-Processors and their country of location. UserTesting shall provide notification of a new Sub-Processor(s) before authorizing any new Sub-Processor(s) to Process Customer Data in connection with the provision of the applicable Services.

    6.3. Objection Right for New Sub-Processors. Customer may object to UserTesting’s use of a new Sub-Processor by notifying UserTesting promptly in writing within ten (10) business days after receipt of UserTesting’s notice. In the event Customer reasonably objects to the use of a new Sub-Processor, then either party may terminate this DPA and the Agreement without penalty by providing written notice to the other party.

  7. SECURITY

    7.1. UserTesting’s Security Measures. UserTesting shall implement and maintain reasonable security measures to meet the requirements of Data Protection Laws and Regulations, including, without limitation appropriate technical and organizational measures to ensure the security of Customer Data (including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data), including the measures required by Article 32 of the GDPR. UserTesting regularly monitors compliance with the Security Measures.

  8. DATA INCIDENTS

    8.1. UserTesting shall notify Customer without undue delay after becoming aware of a Customer Data Breach involving Customer Data transmitted, stored or otherwise Processed by UserTesting or its Sub-Processors. UserTesting shall provide reasonable assistance to Customer in ensuring compliance with Customer’s obligations to notify the competent data protection authority and/or Data Subjects of a Customer Data Breach, taking into account the nature of Processing and the information available to UserTesting. UserTesting shall not assess the contents of Customer Data in order to identify information subject to any specific legal requirements under the Data Protection Laws and Regulations or other applicable law. Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Customer Data Breach. The obligations herein shall not apply to Customer Data Breaches that are caused by Customer or Customer’s users.

  9. DATA PROTECTION IMPACT ASSESSMENT

    9.1. Upon Customer’s request, UserTesting shall provide Customer with reasonable cooperation and assistance to facilitate fulfilment by Customer of its obligations under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services and/or to engage in prior consultation with the competent data protection authority, where required by the GDPR and taking into account the nature of Processing and the information available to UserTesting.

  10. DATA TRANSFERS

    10.1. In connection with the performance of the Agreement with regard to Customer Data relating to an individual in the European Economic Area (“EEA”) Customer authorizes UserTesting to transfer Customer Data from the EEA to the United States. UserTesting has certified to the EU-U.S. Privacy Shield framework as administered by the U.S. Department of Commerce (“Privacy Shield”) and commits to comply with its obligations for any Customer Data transferred under the Privacy Shield throughout the term of this DPA. To learn more about the Privacy Shield Framework and to view UserTesting’s certification, please visit https://www.privacyshield.gov/.

    10.2 10.2. Where the Privacy Shield does not apply, UserTesting will abide by the GDPR Standard Contractual Clauses, incorporated into this Agreement by reference.

  11. INFORMATION

    11.1. UserTesting shall provide Customer with all information necessary to enable Customer to demonstrate compliance with its obligations under the GDPR and/or CCPA, and reasonably allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within UserTesting’s control and UserTesting is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party. UserTesting may charge a reasonable fee for any audits carried out in accordance with this clause. UserTesting shall provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer shall be solely responsible for any fees charged by any auditor appointed by Customer to execute any such audit. To the extent that Customer or any auditor appointed by Customer causes any damage, injury or disruption to the UserTesting’s premises, equipment, personnel and business in the course of such an audit or inspection, Customer shall be solely responsible for any costs associated therewith

  12. RETURN AND DELETION OF CUSTOMER DATA

    12.1. Upon written request, UserTesting shall return or delete, at Customer’s choice, Customer Data to Customer after the end of the provision of Services relating to the Processing of Customer Data, and delete existing copies unless the applicable law requires continued storage of all or portions of Customer Data.

  13. AUTHORIZED AFFILIATES

    13.1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between UserTesting and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 13 and Section 14. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates shall comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

    13.2. Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with UserTesting under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

    13.3. 13.3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA, it shall be entitled to exercise the rights under this DPA, to the extent required under applicable Data Protection Laws and Regulations, subject to the following:

    13.3.1. Unless otherwise required by the applicable Data Protection Laws and Regulations, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Section 9.3.2, below).

    13.3.2. The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the Processing pursuant to the DPA, take all reasonable measures to limit any impact on UserTesting and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.

  14. CUSTOMER INSTRUCTIONS

    14.1. Customer acknowledges that UserTesting is reliant on Customer for direction concerning the extent to which UserTesting may Process Customer Data on behalf of Customer in performance of the Services. Consequently UserTesting shall not be liable under the Agreement for any claim or complaint brought by a Data Subject or Consumer arising from any action or omission by UserTesting, to the extent that such action or omission resulted directly from Customer’s instructions or from Customer’s failure to comply with its obligations under the Data Protection Laws and Regulations.

  15. GOVERNING LAW

    15.1. The parties hereby submit to the choice of law and choice of venue and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; provided, however, that with respect to any disputes under the GDPR only, the parties agree that this DPA shall be governed by the laws of Ireland.

List of Annexes

Annex 1: Details of the Processing

 

 

 

 

ANNEX 1 - DETAILS OF THE PROCESSING

Nature and Purpose of Processing

UserTesting processes Customer Data for the purposes of providing the Services to Customer as set out in the Agreement.

In particular, as a part of the Services, Customer identifies the Participants (herein also referred to as Data Subjects) that Customer requires to participate in user tests through the UserTesting platform. UserTesting takes instructions from Customers and presents them to selected Participants. Participants follow the instructions while UserTesting records Participants’:

  • screen
  • voice
  • answers any questions in response to Customer’s instructions

The resulting video and answers are then available to Customers for further processing using the UserTesting platform including:

  • Note taking
  • Clip making
  • Highlight reel creation
  • Machine transcription
  • Sharing of videos (full videos, clips and highlight reels)
  • Downloading of videos (full videos, clips and highlight reels)
  • Downloading of notes, transcripts and links to videos in excel format.

While this additional processing is facilitated by the UserTesting’s platform, it is completely controlled by Customer.

Duration of Processing

Subject to Section 12 of the DPA, UserTesting shall Process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Categories of Data Subjects

Individuals who are members of the UserTesting Panel (“Participants”)

Participants who are identified and provided by Customer to participate in user tests through the UserTesting platform.

Customers who use the UserTesting Platform

Type of Personal Data that constitute Customer Data

Participants from Panel

  • Personal Data that may be included in answers provided by Participants when they answer questions and have their computer screen recorded during a test session. Customer controls what questions are asked and Customer owns the resulting video/audio.

Participants identified, recruited and/or provided by Customer

  • Email address
  • Personal Data that may be included in answers provided by Participants when they answer questions and have their computer screen recorded during a test session. Customer controls what questions are asked and Customer owns the resulting video/audio.

Customers who use the UserTesting Platform

  • Personal Data that may be included in sessions with Participant when Customer shares screen with Participant during sessions and when they answer questions and have their computer screen recorded during a test session. Customer controls what is shown and Customer owns the resulting video/audio.