Skip to main content

Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the UserTesting Customer Terms and Conditions (“T&Cs”) between UserTesting, Inc. (“UserTesting”) and you the customer (“Customer”). Terms capitalized but not defined in this DPA shall have the meaning assigned to them in the T&Cs.


1. INTRODUCTION

In the course of providing the Services to Customer pursuant to the T&Cs, UserTesting may Process Personal Data on behalf of Customer. The Parties agree to comply with the provisions of this DPA with respect to any such Personal Data, to the extent the General Data Protection Regulation (2016/679/EU, hereinafter to be referred to as “GDPR”) applies.

By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Subsidiaries. Solely for the purposes of this DPA, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Subsidiaries. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.


2. DEFINITIONS

Subsidiary” means any entity that is controlled by the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Authorized Subsidiary” means any of Customer’s Subsidiaries which are (a) subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) are permitted to use the Services pursuant to the Agreement between Customer and UserTesting, but has not signed its own order form with UserTesting and is not a “Customer” as defined under the Agreement.

Controller” shall have the meaning as defined in the GDPR.

Customer Data” means the Personal Data set out in Annex 1 (Details of the Processing) to this DPA.

Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union (including the GDPR), the European Economic Area and their member states or, to the extent applicable, in any other country, applicable to the Processing of Personal Data.

Data Subject” shall have the meaning as defined in the GDPR.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data” shall have the meaning as defined in the GDPR.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Process” or “Processing” shall have the meaning(s) as defined in the GDPR.

Processor” shall have the meaning as defined in the GDPR.

Sub-Processor” shall have the meaning as defined in the GDPR.


3. PROCESSING OF PERSONAL DATA

3.1. Roles of the Parties. The parties acknowledge and agree that, with regard to the Processing of Personal Data contained in a Recording and otherwise obtained from Customer’s utilization of the Platform, Customer shall serve as the Controller and UserTesting shall serve as the Processor.

3.2. Customer’s Processing of Customer Data. Customer shall, in its use of the Platform and Services, Process Customer Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall ensure that Customer has provided or will provide any necessary notices to Data Subjects, and has obtained or will obtain all consents and rights necessary for UserTesting to Process Customer Data in accordance with this DPA.

3.3. UserTesting’s Processing of Customer Data. UserTesting shall only Process Customer Data on behalf of and in accordance with Customer’s documented instructions. UserTesting is hereby instructed to Process Customer Data to the extent necessary to enable UserTesting to provide the Services in accordance with the T&Cs and applicable Orders. If UserTesting cannot process Customer Data in accordance with Customer’s instructions due to a legal requirement under any applicable European Union or Member State law, UserTesting will (i) promptly notify Customer in writing (including by e-mail) of such legal requirement before carrying out the relevant Processing to the extent permitted by the applicable law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Customer Data) until such time as Customer provides UserTesting with new instructions with which UserTesting is able to comply. If this provision is invoked, UserTesting will not be liable to Customer under the Agreement for any failure to perform the Services thereunder until such time as Customer issues new instructions in regard to such Processing. UserTesting will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws and Regulations.

3.4. Details of the Processing. The subject-matter of Processing of Personal Data by UserTesting is the performance of the Services pursuant to the Agreement and applicable order form(s). The duration of the Processing, the nature and purpose of the Processing, the types of Customer Data Processed and the categories of Data Subjects are specified in Annex 1 (Details of the Processing) to this DPA.


4. RIGHTS OF DATA SUBJECTS

4.1. Data Subject Request. UserTesting will, to the extent legally permitted, promptly notify Customer if it receives a request from Data Subjects to exercise their rights under the Data Protection Laws and Regulations with respect to Customer Data, including – with effect from May 25, 2018 – the right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or the right not to be subject to an automated individual decision making (“Data Subject Request”). UserTesting shall not respond to a Data Subject Request without Customer’s prior written consent and instructions. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, UserTesting shall upon Customer’s request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent UserTesting is legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from UserTesting’s provision of such assistance.


5. SUB-PROCESSORS

5.1. Appointment of Sub-Processors. Customer hereby grants UserTesting general written authorization to engage Sub-Processors in connection with the provision of the Services. UserTesting will enter into a written agreement with each Sub-Processor containing the same data protection obligations as those set out in this DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-Processor. Where any of its Sub-Processors fails to fulfil its data protection obligations, UserTesting shall be liable to the Customer for the performance of its Sub-Processors’ obligations.

5.2. List of Current Sub-Processors and Notification of New Sub-Processors. On request, UserTesting will make available to the Customer the then-current list of Sub-Processors, including the identities of the Sub-Processors and their country of location. UserTesting will provide notification of a new Sub-Processor(s) before authorizing any new Sub-Processor(s) to Process Personal Data in connection with the provision of the applicable Services.

5.3. Objection Right for New Sub-Processors. Customer may object to UserTesting’s use of a new Sub-Processor by notifying UserTesting promptly in writing within ten (10) business days after receipt of UserTesting’s notice. In the event Customer reasonably objects to the use of a new Sub-Processor, then either party may terminate this DPA and the Agreement without penalty by providing written notice to the other party.


6. SECURITY

6.1. UserTesting’s Security Measures. UserTesting will implement and maintain appropriate technical and organizational measures to ensure the security of Customer Data (including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data), including the measures required by Article 32 of the GDPR. UserTesting regularly monitors compliance with the Security Measures.


7. DATA INCIDENTS

7.1. UserTesting will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Data transmitted, stored or otherwise Processed by UserTesting or its Sub-Processors. UserTesting will provide reasonable assistance to the Customer in ensuring compliance with the Customer’s obligations to notify the competent data protection authority and/or Data Subjects of a Personal Data Breach, taking into account the nature of Processing and the information available to UserTesting. UserTesting will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements under the Data Protection Laws and Regulations or other applicable law. Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. The obligations herein shall not apply to Personal Data Breaches that are caused by Customer or Customer’s users.


8. DATA PROTECTION IMPACT ASSESSMENT

8.1. Upon Customer’s request, UserTesting shall provide Customer with reasonable cooperation and assistance to facilitate fulfilment by Customer of its obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services and to engage in prior consultation with the competent data protection authority, where required by the GDPR and taking into account the nature of Processing and the information available to UserTesting.


9. DATA TRANSFERS

9.1. In connection with the performance of the Agreement, Customer authorizes UserTesting to transfer Customer Data from the European Economic Area (“EEA”) to the United States. UserTesting has certified to the EU-U.S. Privacy Shield framework as administered by the U.S. Department of Commerce and commits to comply with its obligations for the Customer Data transferred under the Privacy Shield throughout the term of this DPA. To learn more about the Privacy Shield Framework and to view UserTesting’s certification, please visit https://www.privacyshield.gov/.


10. INFORMATION

10.1. UserTesting will provide Customer with all information necessary to enable the Customer to demonstrate compliance with its obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, to the extent that such information is within UserTesting’s control and UserTesting is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party. UserTesting may charge a reasonable fee for any audits carried out in accordance with this clause. UserTesting will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.


11. RETURN AND DELETION OF CUSTOMER DATA

11.1. Upon written request, UserTesting shall return or delete, at Customer’s choice, Customer Data to the Customer after the end of the provision of Services relating to the Processing of Customer Data, and delete existing copies unless the applicable European Union or member state law requires storage of the data.


12. AUTHORIZED SUBSIDIARIES

12.1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Subsidiaries, thereby establishing a separate DPA between UserTesting and each such Authorized Subsidiary subject to the provisions of the Agreement and this Section 13 and Section 14. Each Authorized Subsidiary agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Subsidiary is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Authorized Subsidiaries shall comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Subsidiary shall be deemed a violation by Customer.

12.2. Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with UserTesting under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Subsidiaries.

12.3. Rights of Authorized Subsidiaries. Where an Authorized Subsidiary becomes a party to the DPA, it shall be entitled to exercise the rights under this DPA, to the extent required under applicable Data Protection Laws and Regulations, subject to the following:

12.3.1. Unless otherwise required by the applicable Data Protection Laws and Regulations, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Subsidiary, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Subsidiary individually but in a combined manner for all of its Authorized Subsidiaries together (as set forth, for example, in Section 9.3.2, below).

12.3.2. The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the Processing pursuant to the DPA, take all reasonable measures to limit any impact on UserTesting and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Subsidiaries in one single audit.


13. LIABILITY

13.1. The Customer acknowledges that UserTesting is reliant on the Customer for direction concerning the extent to which UserTesting may Process Customer Data on behalf of Customer in performance of the Services. Consequently UserTesting will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by UserTesting, to the extent that such action or omission resulted directly from the Customer’s instructions or from Customer’s failure to comply with its obligations under the Data Protection Laws and Regulations.

13.2. Each party’s and all of its Subsidiaries’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Subsidiaries and UserTesting, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Subsidiaries under the Agreement and all DPAs together.

13.3. For the avoidance of doubt, UserTesting’s total liability for all claims from the Customer and all of its Authorized Subsidiaries arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Subsidiaries, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Subsidiary that is a contractual party to any such DPA.

Last Updated: November 1, 2019


List of Annexes

Annex 1: Details of the Processing


 

ANNEX 1 - DETAILS OF THE PROCESSING

Nature and Purpose of Processing

UserTesting processes Customer Data for the purposes of providing the Services to Customer as set out in the Agreement.

In particular, as a part of the Services, Customer identifies the test participants (herein also referred to as Data Subjects or Participants) that Customer requires to participate in user tests through the UserTesting platform. UserTesting takes instructions from Customers and presents them to selected Participants. Participants follow the instructions while UserTesting records the Participants’:

  • screen
  • voice
  • answers any questions in response to Customer’s instructions

The resulting video and answers are then available to Customers for further processing using the UserTesting platform including:

  • Note taking
  • Clip making
  • Highlight reel creation
  • Machine transcription
  • Sharing of videos (full videos, clips and highlight reels)
  • Downloading of videos (full videos, clips and highlight reels)
  • Downloading of notes, transcripts and links to videos in excel format.

While this additional processing is facilitated by the UserTesting’s platform, it is completely controlled by the Customer.


Duration of Processing

Subject to Section 12 of the DPA, UserTesting will Process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.


Categories of Data Subjects

  • Individuals who are members of the UserTesting Panel (“Participants”)
  • Participants who are identified and provided by the Customer to participate in user tests through the UserTesting platform.
  • Customers who use the UserTesting Platform

Type of Personal Data

Participants from Panel:

  • Personal Data that may be included in answers provided by Participants when they answer questions and have their computer screen recorded during a test session. Customer controls what questions are asked and the Customer owns the resulting video/audio.

Participants identified, recruited and/or provided by Customer:

  • Email address
  • Personal Data that may be included in answers provided by Participants when they answer questions and have their computer screen recorded during a test session. Customer controls what questions are asked and the Customer owns the resulting video/audio.

Customers who use the UserTesting Platform:

  • Personal Data that may be included when Customer shares screen with a Participant. Customer controls what is shown and the Customer owns the resulting video/audio.

Last updated: November 06, 2019