ONLINE DATA PROCESSING AGREEMENT
This DPA governs any UserTesting Processing of Customer Personal Data on behalf of our Customers.
You (or “Customer”) and UserTesting (for and on behalf of its Affiliates) agree to the terms and conditions of this Data Processing Agreement, including the Standard Contractual Clauses, and its Appendices (collectively, the “DPA”) in connection with your use of the UserTesting Platform and Services, as defined in and pursuant to our Agreement.
By accessing the Product and using the Services, you agree to this DPA. This DPA supplements and is incorporated into the Agreement by reference.
IT IS AGREED:
1. DEFINITIONS AND INTERPRETATION
The following words shall have the meanings set forth below.
Agreement means the Terms or other negotiated agreement between UserTesting and the Customer which governs the provision of Services by UserTesting to Customer;
Customer Personal Data means any personal data or personal information generated, transferred, processed or otherwise reproduced under this Agreement or any SOW or Order. For the avoidance of doubt, Customer Personal Data shall not include any personal data or personal information UserTesting obtains and processes as a controller, including (i) from Contributors outside a Test; or (ii) independent of the Agreement;
Data Protection Laws means all relevant laws and regulations in any relevant jurisdiction relating to privacy that are applicable to the collection, use, transfer, or other processing of personal data under the Agreement, including but not limited to EU Regulation 2016/679 (“GDPR”) the GDPR as enacted by the United Kingdom and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA"); in each case, to the extent in force, and as updated, amended or replaced from time to time;
controller, processor, data subject, personal data, personal information, processing, supervisory authority, business, service provider, sell, and share have the meanings set out in the relevant Data Protection Laws;
Data Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data transmitted, stored or otherwise processed;
International Transfer means the transfer or disclosure of, or other type of access to personal data from the UK; Switzerland, or from the EEA, in each case to a person or entity to a third country (as defined by the relevant Data Protection Laws) or to an international organization which does not ensure an adequate level of protection or is not governed by an existing appropriate safeguard (e.g. binding corporate rules) in accordance with the relevant Data Protection Laws;
Sensitive Personal Data means personal data or personal information of a “sensitive” nature, including without limitation: sensitive personal data (as defined under GDPR), information relating to minors, bank account or card information, credit information and social security numbers or other government-issued identification numbers or other government-issued identifying information.
Relevant Communication means: (a) a validated request from a data subject to exercise any of its rights under the relevant Data Protection Laws; or (b) any complaint, notice or other communication from a data subject or supervisory authority, government authority or judicial body which relates to the processing of personal data;
Shared Personal Data means personal data or personal information collected by or on behalf of a party that is shared with the other party as an independent controller. For the avoidance of doubt, Shared Personal Data includes any personal data or personal information shared in respect of the filtering features of the Services, to the extent that Customer selects a particular piece of demographic information that is associated with a Contributor;
Standard Contractual Clauses means, as the context requires, the relevant clauses set out here.
Sub-Processor means any third party appointed by UserTesting to process the Customer Personal Data.
Capitalised terms not defined within this DPA shall have the meaning provided for within the Agreement.
2. COMPLIANCE WITH DATA PROTECTION LAWS
2.1. Each party is responsible for its own compliance with the relevant Data Protection Laws in relation to the Customer Personal Data whilst under its control and each party is responsible, at their own expense, for responding to the exercise of data subject rights in relation to such Customer Personal Data. This DPA is in addition to, and does not relieve, remove or replace a party’s obligations or rights under the relevant Data Protection Laws.
2.2. The parties acknowledge that Customer acts as controller and UserTesting acts as processor, each in respect of the Customer Personal Data. In connection with the performance of its obligations under the Agreement, with respect to its processing of Customer Personal Data:
a. Customer will comply with all obligations applicable to it under the Data Protection Laws as the controller (as applicable); and
b. UserTesting will comply with all obligations applicable to it under the Data Protection Laws as the processor (as applicable).
2.3. The parties acknowledge that each of the Customer and UserTesting act as an independent controller in respect of the Shared Personal Data. In connection with the performance of its obligations under the Agreement, with respect to its processing of Shared Personal Data, each of the Customer and UserTesting will comply with all obligations applicable to it under the relevant Data Protection Laws:
2.4. Schedule 1 sets out the scope, nature and purpose of processing by UserTesting, the duration of the processing and the types of Customer Personal Data and categories of data subject.
2.5. UserTesting will maintain accurate records to demonstrate its compliance with this DPA and will make this information available to the Customer upon reasonable written request.
2.6. Without prejudice to the generality of Section 2.1 of this DPA, Customer warrants to UserTesting that it has all necessary appropriate consents and notices in place and all necessary rights to enable lawful transfer of the Customer Personal Data to UserTesting and/or lawful collection of the Customer Personal Data by UserTesting on behalf of the Customer for the duration and purposes of this DPA. Specifically, Customer will not perform Tests that collect personal data from a Contributor, unless Customer has obtained Contributor's prior express written consent or has established an alternative legal basis for such Processing. Customer can obtain Contributor's consent by adding a request for consent in the very first screener question of the Test.
2.7. Subject to an applicable Order, Customer may collect or otherwise solicit Sensitive Personal Data through the Product(s) and/or its use thereof, provided always that:
a. it shall:
i. notify UserTesting;
ii. execute any additional documentation required by UserTesting,
in each case in advance of collecting any such Sensitive Personal Data; and
iii. comply with any additional obligations required by the Data Protection Laws and any such additional documentation required under Section 2.7(a)(ii).
b. such Product(s) is certified by UserTesting as being covered by the appropriate certification(s);
c. in the event that Customer (i) discovers that any Sensitive Personal Data has been submitted to the Product(s); and (ii) has not complied with the terms of Section 2.7(a) of this DPA, Customer will immediately notify UserTesting of such disclosure, and upon UserTesting’s receipt of such notification, the parties shall promptly work together and cooperate to comply with Data Protection Laws with respect to such information.
2.8. Customer acknowledges the risks inherent in respect of Sensitive Personal Data, and Customer disclaims all liability against UserTesting for any claims, causes of action, damages, judgments, settlements, and costs asserted by a third party or Customer as a result of the collection, use, transfer, or other processing of Sensitive Personal Data collected in breach of Section 2.7 of this DPA.
PART A - CUSTOMER PERSONAL DATA
3. DATA PROCESSING REQUIREMENTS
3.1. In relation to Customer Personal Data that UserTesting processes as a processor on behalf of Customer, UserTesting will:
a. keep Customer Personal Data confidential;
i. process the Customer Personal Data;
ii. conduct transfers of Customer Personal Data (including, where applicable, International Transfers); and
iii. engage Sub-Processors in accordance with Section 4 of this DPA,
in each case as reasonably necessary for UserTesting to provide the Services and to otherwise comply with its obligations and exercise its rights under the Agreement;
b. inform Customer promptly if in its reasonable opinion an instruction from the Customer infringes any relevant Data Protection Laws. In such event, UserTesting will not be obliged to carry out that processing and will not be in breach of this Agreement or otherwise liable to the Customer as a result of its failure to carry out that processing;
c. take reasonable steps to ensure that persons authorised to process Customer Personal Data are:
iii. only given access to such Customer Personal Data as is necessary for the performance of their duties;
d. notify Customer promptly (and within not more than five working days of identifying Customer as the relevant Data Controller) if it receives any Relevant Communication in respect of Customer Personal Data. For the avoidance of doubt, in the event that UserTesting receives a Relevant Communication in respect of Customer Personal Data, UserTesting will refuse the request and instruct the third party to make such request directly to Customer, and provide the third party with Customer’s contact information;
e. taking into account the nature of the processing being undertaken by UserTesting and the information available to it, promptly following the date of Customer’s request provide reasonable cooperation and assistance to Customer in order for Customer to:
i. comply with its obligations under the relevant Data Protection Laws relating to the security of processing of the Customer Personal Data;
ii. respond to or fulfil (as the case may be) a Relevant Communication in respect of Customer Personal Data; and
iii. conduct privacy impact assessments of any processing operations and consult with supervisory authorities, data subjects and their representatives accordingly.
f. not permit any Sub-Processor to process Customer Personal Data except in the following circumstances:
i. UserTesting has complied with Section 4 of this DPA in respect of the processing of Customer Personal Data by the Sub-Processor; and
ii. the processing of Customer Personal Data by the Sub-Processor is solely for the purpose of providing and enhancing the Product(s) and/ or Service(s) as described in the Agreement;
g. ensure that appropriate technical, physical and organisational measures in accordance with Article 32 GDPR, as detailed here shall be taken to ensure the ongoing confidentiality, security, availability and integrity of the Customer Personal Data and to prevent unauthorised or unlawful processing of Customer Personal Data and accidental loss or destruction of, or damage to, Customer Personal Data; and
h. if a Data Security Incident occurs:
i. notify Customer in writing of such Data Security Incident promptly and without undue delay after discovering the Data Security Incident (and within not more than 48 hours of discovering the Data Security Incident if, in UserTesting’s reasonable opinion, either UserTesting or Customer will be required by any relevant Data Protection Laws to notify a Supervisory Authority of such Data Security Incident);
ii. provide all cooperation, assistance and information reasonably requested by Customer in respect of such Data Security Incident;
iii. except to the extent required by relevant Data Protection Laws, not make any notification to any third party (including any Supervisory Authority or data subject) regarding the Data Security Incident without Customer’s prior written consent. For the avoidance of doubt, the foregoing obligation shall not preclude UserTesting from notifying any third party in respect of whose Personal Data controlled by UserTesting has also been implicated in the same incident as the Data Security Incident or from making any required notifications to Supervisory Authorities provided it does not identify Customer in such notification without Customer’s prior written consent;
iv. assist the Customer, in responding to any request from a data subject and in ensuring compliance with its obligations under the relevant Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
v. take such steps as are reasonably required to mitigate the impact of the Data Security Incident on Customer and/or any data subjects and to prevent its reoccurrence.
3.3. UserTesting shall have no liability for failure to comply with the terms of Section 3.1(h) of this DPA to the extent that the Data Security Incident was caused by the Customer or on the basis of the Customer’s instructions.
4.1. The parties expressly agree that UserTesting’s Affiliates may be retained as Sub-Processors.
4.2. The Customer provides general authorisation to UserTesting to engage any person as a Sub-Processor for the processing of the Customer Personal Data. UserTesting maintains an up-to-date list of Sub-Processors at https://www.userzoom.com/sub-processors and shall update that list in advance of appointing or replacing any Sub-Processor thereby giving Customer the opportunity to object to such changes in accordance with Section 4.3 of this DPA. Customer shall provide an email address (as set forth in Section 4.3 below) to receive notifications of intended changes concerning the addition of new Sub-Processors at https://www.userzoom.com/sub-processors. If Customer subscribes to receive such notifications, UserTesting shall notify Customer when the list is updated.
4.3. In respect of any Sub-Processor that UserTesting uses to process Customer Personal Data, UserTesting shall:
a. remain liable for any breach of this DPA that is caused by an act, error or omission of its Sub-Processor;
b. ensure that the Sub-Processor is subject to contractual arrangements no less onerous than the terms contained in this DPA;
c. ensure that the use of the Sub-Processor does not result in:
i. UserTesting breaching any of its obligations under the DPA;
ii. a material risk to the confidentiality, security, availability, or integrity of any Customer Personal Data; or
iii. an adverse effect on Customer’s ability to comply with any relevant Data Protection Laws,
each a “Data Protection Risk”.
4.4. Customer will be entitled to object to the use of a Sub-Processor if the use of that Sub-Processor objectively has caused, or is likely to cause, a Data Protection Risk, provided that Customer provides UserTesting with written notice of its objection within 30 calendar days of the date on which UserTesting’s list of Sub-processors at https://www.userzoom.com/sub-processors is updated to reflect the use of the Sub-Processor from UserTesting.
4.5. If Customer objects to the use of a Sub-Processor in accordance with Section 4.3 above, then the parties will (acting reasonably and in good faith) promptly discuss Customer’s objections and UserTesting must either:
a. not use (or, in respect of an existing Sub-Processor, cease to use) that Sub-Processor to process Customer Personal Data; or
b. permit Customer to terminate the Agreement immediately without additional liability.
5.1. Solely to the extent the Customer Personal Data is subject to the CCPA, the provisions of this Section 5 will apply.
5.2. The parties agree that UserTesting is a service provider and Customer is a business. In connection with the performance of its obligations under the Agreement, with respect to its processing of Customer Personal Data:
a. Customer will comply with all obligations applicable to it under the Data Protection Laws as a business (as applicable); and
b. UserTesting will comply with all obligations applicable to it under the Data Protection Laws as a service provider (as applicable).
5.3. UserTesting shall not:
a. “sell” or “share” the Customer Personal Data (as those terms are defined in the CCPA);
b. retain, use, disclose, or otherwise process Customer Personal Data for purpose other than the business purposes of providing the Services set out in the Agreement, or as otherwise permitted by the CCPA;
c. retain, use, disclose, or otherwise process Customer Personal Data in any manner outside of the direct business relationship between UserTesting and Customer; and/or
d. combine Customer Personal Data with any personal data that UserTesting collects itself or receives from another source, except to perform any business purpose permitted by the CCPA
5.4. UserTesting certifies that it understands the contractual restrictions set out in this section 5 and it will comply with them.
5.5. If UserTesting determines that it can no longer meet its obligations under this Section 5, UserTesting shall notify the Customer no later than the time period prescribed by the CCPA.
5.6. If UserTesting is engaged in unauthorised use of Customer Personal Data, Customer may (upon reasonable written notice to UserTesting), take reasonable and appropriate steps to stop and remediate the unauthorised use of such Customer Personal Data
5.7. The parties hereby acknowledge and agree that the transfer of Customer Personal Data from the Customer shall not constitute the sale or sharing of personal information to UserTesting. UserTesting receives such Customer Personal Data pursuant to the business purpose of providing the Product(s) and/ or Service(s) in accordance with the Agreement.
6.1. The Customer (or another auditor mandated by the Customer, bound by appropriate confidentiality obligations) may audit or otherwise monitor UserTesting’s compliance with the terms of this DPA, by requiring UserTesting to:
a. respond to Customer’s reasonable requests for information, including responses to information security and audit questionnaires;
b. provide appropriate information; records; and certifications and audit reports issued by reputable independent third parties (provided that there have been no material changes to the controls used by UserTesting since the certification or audit report was issued) to the Customer; and/or
c. allowing the Customer, at its own cost, to conduct penetration testing and vulnerability assessments
6.2. Customer will be solely responsible for all fees associated with any such audit under this Section 6 including any fees charged by any auditor the Customer may appoint and for any damage, injury, or disruption to UserTesting’s premises, equipment, personnel, and business caused by such auditor.
6.3. Customer will provide UserTesting with any audit reports generated in connection with any audit under this Section 6, unless prohibited by law. Any information obtained during an audit may be used, solely as necessary to demonstrate compliance with Data Protection Laws and regulatory requests. Customer may perform one audit per year unless required to perform more by Data Protection Laws, upon specific request by a regulatory body or in response to a Data Security Incident.
7. TRANSFERS OF PERSONAL DATA
7.1. The Customer acknowledges and agrees that UserTesting may access and process Customer Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Customer Personal Data may be transferred to and processed by UserTesting in the United States and other jurisdictions where UserTesting, its Affiliates and its Sub-Processors have operations.
7.2. In the case of each International Transfer in respect of Customer Personal Data, UserTesting shall comply with the Data Protection Laws (including, where relevant, Chapter V of GDPR).
7.3. In the event of an International Transfer between the parties, the parties hereby enter into and execute the SCCs by deeming that the SCCs are attached to and incorporated into this DPA, and by subsequently executing this DPA or by using the Services. Where the SCCs require the parties to supplement the SCCs with additional information, all required information is set forth exclusively at https://www.userzoom.com/sccs. If any SCCs the parties rely on are superseded or otherwise invalidated, the parties agree that such new or updated SCCs as may be prescribed by the relevant governmental authority shall apply between the parties without need to amend this DPA, subject to any changes which UserTesting requires to implement to the additional information set out at the foregoing URL.
8. RETURN AND DESTRUCTION OF PERSONAL DATA
8.1. Upon termination of the Agreement (or as otherwise instructed by Customer in writing), UserTesting will cease Processing and return (by way of making available for download in a commercially readable format) Customer Personal Data and/or, within thirty (30) days of Customer’s request, delete all Customer Personal Data in UserTesting’s possession or control and, in the event of a return, subsequently irretrievably delete all copies of such data, subject to Section 6.2 of this DPA.
8.2. UserTesting may retain one copy of Customer Personal Data solely to the extent that it is required to do so by law or which it is required to retain for insurance, accounting, taxation or record keeping purposes, provided that it continues to comply with the requirements of this DPA with regard to such Customer Personal Data. For the purposes of this Section 6.2, Customer accepts that UserTesting may retain a secure backup of Customer’s data for a reasonable period post-termination.
The provisions in this DPA shall apply as long as UserTesting processes Customer Personal Data, in accordance with the Agreement.
PART B - SHARED PERSONAL DATA
10. DATA PROCESSING REQUIREMENTS
10.1. In respect of the Shared Personal Data, each party shall independently (alone) determine the means and purposes of Processing such Shared Personal Data as independent Controllers. Each Party shall independently comply with Applicable Data Protection Law with respect to such Shared Personal Data and shall provide the same or greater level of privacy protection as is required by Applicable Law to such Shared Personal Data.
10.2. Neither party is responsible for the Processing of Shared Personal Data by the other Party as an independent Controller. Customer is responsible for ensuring the lawfulness of the sharing of Shared Personal Data to UserTesting under the Agreement. For the avoidance of doubt, each Party is solely responsible for ensuring (i) the lawfulness of; and (ii) it has adequate legal basis for, Processing Shared Personal Data (including to share it with the other party and has provided appropriate notice and/or obtained any necessary consent required to do so). Where appropriate and in accordance with the terms of this DPA, both parties shall coordinate and liaise in their response and provide each other with information as reasonably required to respond to Relevant Communications in respect of Shared Personal Data.
10.3. If Customer determines that it can no longer meet its obligations as to Shared Personal Data under Applicable Data Protection Law, it shall promptly inform UserTesting. Upon notice to Customer, UserTesting may, but is not required to, take reasonable and appropriate steps to stop and remediate any unauthorized use or Processing of Shared Personal Data.
10.4. Customer will only Process Shared Personal Data shared with them by UserTesting for purposes of the Agreement and in accordance with Applicable Data Protection Law. Each party warrants and represents that it will not engage in any Processing of Shared Personal Data provided to it by the other party which will cause the other party to be in non-compliance with its obligations under Applicable Data Protection Law or with any obligations the other party has vis-à-vis Shared Personal Data.
10.5. The parties shall retain and destroy Shared Personal Data consistent with their respective retention practices. The parties acknowledge and agree that each other has the right, but not the obligation, to retain Shared Personal Data subsequent to the termination of this DPA, except as otherwise provided herein or in Applicable Laws.
10.6. In case the parties can no longer rely on SCCs as appropriate transfer mechanisms, the parties will conclude an alternative transfer mechanism to replace the SCCs without undue delay.
10.7. Each party shall, without undue delay, inform the other party of any Relevant Communication in respect of Shared Personal Data.
11.1. Any notice or other communication to be provided by one party to the other party under this DPA, shall be provided in accordance with the notice provision of the Agreement.
11.2. Should any provision or condition of this DPA be held or declared invalid, unlawful, or unenforceable by a competent authority or court, then the remainder of this DPA will remain valid.
11.3. This DPA and the documents referred to in it including the Agreement constitute the entire understanding and agreement of the parties in relation to the processing of the Customer Personal Data, may be updated from time to time as required by relevant Data Protection Laws, and shall supersede all prior agreements, discussions, negotiations, arrangements and understandings of the parties and/or their representatives in relation to such processing. The terms of this DPA shall be subject always to the terms of the Agreement. Notwithstanding the foregoing, in the event of any conflict or inconsistency between any documents, the following order of precedence shall apply: (i) the SCCs (where applicable); (ii) the relevant Order Form; (iii) this DPA; and (iv) the Agreement.
SCHEDULE 1 - DATA PROCESSING ACTIVITIES – CUSTOMER PERSONAL DATA
Description of service:
UserTesting offers an all-in-one cloud-based secured software solution to manage digital customer experience insights and/or conduct usability testing.
Categories of individuals whose personal data is being processed:
Customer’s Contributors, which may include:
● website visitors; and
Purpose(s) of data processing:
Improve the user experience for Customer’s users.
Type(s) of data processing involved:
The personal data collected or stipulated by those creating studies or sourcing Contributors on behalf of the Customer, which may include (but is not limited to) Contributors’:
● video and audio while taking a Test;
● visited URLs;
● screen recording;
● demographic information; and
● user ID.
Duration of data processing:
Defined in the Agreement