Customer Data Processing Agreement (DPA)
This DPA regulates any processing of personal information on behalf of our customers by Userpeek.
You (or "Customer") and Gravitech and its Affiliates ("Userpeek") agree to the terms and conditions of this Data Processing Agreement, including the Standard Contractual Clauses, and its Appendices (collectively, the "DPA") in connection with your use of the Userpeek Platform and Services, as defined and in accordance with our Agreement.
This DPA is accepted by your use of the Userpeek Platform and Services. This DPA complements and is included into the Userpeek Customer Terms and Conditions (as modified from time to time) (the "Terms") or other formal agreement under which Userpeek agrees to grant you access to the Platform and Services (the Userpeek Customer Terms and Conditions or such other agreement are referred to herein as the "Agreement").
In the event of a disagreement or discrepancy between this DPA and our Agreement, the terms of this DPA shall govern. Any capitalized terms used but not defined in this DPA shall have the meanings ascribed to them in either the Agreement or the Applicable Laws, as specified below.
WHEREAS, Userpeek performs cross-border transfers of data to and from the United States and other locations, and processes such data for the purpose of providing you with the Services, including storage of your Sessions and Recordings, storage of certain other information, support for security and threat analysis, billing, and account provisioning.
WHEREAS, Tests and Sessions are at the control of the Customer, and the submission of Customer Personal Data to Userpeek for processing is at the Customer's exclusive discretion.
WHEREAS, the Service is hosted by Userpeek's data center partners, which maintain independently validated security programs, including SOC 2 and ISO 27001, and our systems are routinely tested by independent third-party penetration testing firms to continuously assess and enhance our security posture; and
WHEREAS Userpeek does not knowingly grant access to its infrastructure to government entities in the United States or elsewhere.
Therefore, for great consideration, the parties agree to the following:
1. Definitions "Commission", "Controller", "Personal Data Breach", "Member State", "Processor", "Sensitive Data", and "Supervisory Authority" shall have the meanings specified in the European Union (EU) General Data Protection Regulation 2016/679 ("GDPR") or any other Applicable Laws for purposes of this DPA. "Business," "Consumer," and "Service Provider" shall have the meanings ascribed to them under the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. ("CCPA"). As required by the circumstances of this DPA, "processing" (and its derivatives) has the same meaning as in the GDPR or CCPA.
1.1 "Affiliates" refers to any corporate firm that directly or indirectly controls, is controlled by, or is under common control with a political party.
1.2 "BCRs" implies the binding corporate rules that have been authorized in accordance with Articles 47 and 63 of the GDPR.
1.3 "Applicable Laws" refers to any data protection laws applicable to Userpeek, such as the GDPR, the UK GDPR, and the CCPA.
1.4 "Customer Personal Data" means "personal data" or "personal information" (as defined in Applicable Laws) that Userpeek receives and Processes on behalf of Customer during the provision of Services to Customer. Customer Personal Data does not include personal data or personal information that Userpeek acquires or processes (i) from Testers outside of a Test or Session or (ii) independently of its Agreement with Customer.
1.5 "Standard Contractual Clauses" or "SCCs" means, as the context requires: (i) the EU Standard Contractual Clauses for Processors pursuant to the European Commission Decision as of 4 June 2021 ("EU SCCs"); or (ii) the EU SCCs as amended by the UK International Data Transfer Addendum, attached as Schedule 2, for Customer Personal Data exported from the UK ("UK SCCs").
1.6 "Sensitive PII" includes "Sensitive Data" revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data relating to health or a person's sex life or sexual orientation, and data relating to criminal convictions and offences.
1.7 The term "Subprocessor" (or "sub-processor") has the meaning defined in the SCCs.
1.8 "Transfer" or "Transferred" refers to the transfer, disclosure, or other access to Customer Personal Data to a person, entity, or system situated in a country or jurisdiction other than the country or jurisdiction in which the Customer Personal Data originated.
1.9 "UK GDPR" implies the EU GDPR as modified and integrated into UK legislation.
2. Roles, Objectives, and Customer Specifications.
2.2. Purposes. Userpeek acknowledges that it will only collect and process Customer Personal Data on behalf of the Customer for the following purposes: (i) delivering and upgrading the Platform and Services; and (ii) identifying data security problems and safeguarding against fraudulent or illegal activities. Userpeek will not Process Customer Personal Data for any other purpose, including the provision of services to a third party, without the Customer's approval. Userpeek will not sell any customer-specific information.
2.3 Instructions from Customers. Userpeek shall undertake all Processing of Customer Personal Data in accordance with Customer's written instructions, which are assumed to be fully represented in this DPA, unless Customer and Userpeek agree to further written instructions in writing (which will supplement, but not replace, the instructions in this DPA). Customer shall comply with any extra requirements set out in the Terms or specifically allowed by Userpeek if Customer elects to execute Tests involving testing with minors, Protected Health Information, or physical product testing. Customer will not conduct tests that acquire Sensitive PII from a Tester unless Customer has Tester's prior written agreement and complies with all extra requirements required by Userpeek. Customer can seek Tester's permission by including a consent request in the very first screener question of the Test. If Userpeek becomes aware of a Customer directive that, in its judgment, violates Applicable Laws, Userpeek will quickly notify the Customer. Personal Data of Customers should be Processed as necessary for the commercial relationship between the parties. Personal Data of Customers should be Processed as necessary for the commercial relationship between the parties. Customer shall hold Userpeek blameless and compensate Userpeek for any damages sustained or incurred as a result of Userpeek's Processing of Customer Personal Data under Customer's instructions. Userpeek has established the technological and organizational procedures indicated in Appendix Annex II to secure Customer Personal Data against (i) unauthorized or accidental access or disclosure, (ii) abuse, (iii) corruption, and (iv) loss or destruction, in compliance with Applicable Laws.
2.4 Customer is responsible for obtaining all required consents from data subjects when it collects Personal Data, and Userpeek shall have no liability deriving from the Processing of Customer Personal Data in line with Customer's explicit instructions.
3. Request for Access to Personal Data Concerning Customers; Disclosure of Customer Name If a third party asks access to or modification of Customer Personal Data, Userpeek will deny the request, instruct the third party to make the request directly to Customer, and give the third party's contact information. In the event that Userpeek is compelled to disclose Customer Personal Data in response to a legal demand from a law enforcement agency or other third party, Userpeek will notify Customer of such demand prior to granting access, so that Customer may seek a protective order or other appropriate remedy. If communication to Customer is forbidden by law, Userpeek will make commercially reasonable steps to protect Customer Personal Data from inappropriate disclosure, as if it were Userpeek Confidential Information that was being sought. Customer understands and accepts that Customer's name may be disclosed to a Tester if required or recommended by relevant legislation.
4. Breach of Customer Personal Data Userpeek must notify Customer without undue delay if it becomes aware of unauthorized or unintentional access or abuse of Customer Personal Data it Processes pursuant to the Agreement, and shall make reasonable efforts to mitigate the impacts and minimize any data protection breach. Userpeek shall take steps to avoid a recurrence of the breach and will offer reasonable cooperation and assistance in regard to any notifications that Customer is obliged by Applicable Law to make as a result of the breach.
5. Transfer. You acknowledge and agree that we may access and Process Customer Personal Data globally as required to provide the Services in accordance with the Agreement, and in particular that Customer Personal Data will be transferred to and Processed by Userpeek in the United States and other jurisdictions where we, our Affiliates, and our Subprocessors maintain operations. We shall guarantee compliance with the Applicable Laws for any transactions. We will not transfer Customer Personal Data from the EEA, Switzerland, or the UK to any country or recipient not recognized as providing an adequate level of protection for Customer Personal Data by the relevant EEA, UK, or Swiss authority unless we take all steps necessary to ensure compliance with Applicable Laws. Such measures may include transferring such data to a recipient that (i) is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Customer Personal Data, (ii) has attained BCRs, or (iii) has executed suitable SCCs. Specifically, the parties accept the SCCs attached to this DPA, since Schedule 1 is an integral component of this DPA.
6. Obligations towards Subprocessors. Regardless of whether the Subprocessor is an Affiliate of Userpeek or a third party, Userpeek will:
6.1 Restriction of Subprocessor Access to Customer Personal Data to the Minimum Necessary for the Provision or Maintenance of the Platform and Services to the Customer;
6.2 impose on Subprocessors in writing essentially identical applicable contractual duties that are no less protective than the responsibilities set out in this DPA; and
6.3 Remain accountable for the compliance and performance of Subprocessors in accordance with the terms of this DPA.
7. Subprocessor Listing. Customer has accepted Userpeek's Affiliates (as listed in Appendix - Annex III) as Subprocessors as of the date of signing. Customer authorizes Userpeek to employ its Affiliates and other Subprocessors in providing the Platform and Services. Before permitting any new Subprocessor(s) to Process Customer Personal Data under the Agreement, Userpeek will provide notice of any modifications or additions to its Subprocessor(s). If the Customer disagrees with the engagement of a new Subprocessor, the Customer must notify Userpeek in writing, and if Userpeek chooses to continue employing the Subprocessor, the Customer may terminate the Agreement.
8. Audit. Subject to your requirements of confidentiality, Userpeek will supply you with the information required to show compliance with Applicable Laws. Customer accepts that Userpeek's most recent penetration test, serves as proof of compliance with this DPA and Applicable Laws. Userpeek will also reply to legitimate demands for information, such as information security and audit questionnaires, on a yearly basis. If, in Customer's reasonable view, the required information is insufficient, Userpeek will, at Customer's prior written request, permit Customer to inspect the information within its control. Customer accepts that Userpeek has no responsibility to transmit information that is prohibited by relevant laws or contractual obligations from releasing to a third party. Customer is completely liable for any fees related to the audit, including any fees paid by any auditor you may choose, as well as any damage, injury, or interruption to our facilities, equipment, people, or business resulting from your auditor. If a third party is to perform the audit, both Customer and Userpeek must agree and the third party must sign a signed confidentiality agreement with both parties before executing the audit. The parties will collaborate to agree upon a final audit plan, which may include fees for Userpeek's expenditures. Unless prohibited by law, Customer will provide Userpeek with any audit reports prepared in conjunction with any audit conducted according to this provision. Any information gathered during an audit may only be utilized to establish compliance with Applicable Laws and regulatory requirements. Customer may conduct one audit per year, unless obliged to conduct additional audits by relevant legislation, upon particular request from a regulatory agency, or in reaction to a data breach.
9. Data Retention. Userpeek shall destroy Customer Personal Data per the terms of the Agreement, unless obliged by law to keep a copy of Customer Personal Data. Userpeek is not required to store Customer Personal Data beyond the termination or expiration of the Agreement, unless the parties have specifically agreed otherwise.
10.1 The parties recognise, notwithstanding anything to the contrary, that the Applicable Laws are not intended to threaten or undermine the confidentiality requirements to which they are bound under the Agreement or an agreed-upon nondisclosure agreement.
10.2 If any term or condition of this DPA is ruled or declared illegal, unlawful, or unenforceable by a competent authority or court, the other provisions and conditions of this DPA shall continue in effect.
10.3 This DPA shall remain in effect so long as our Agreement is in effect. Userpeek may alter its online terms by notifying the Customer by email. All additional revisions to this DPA must be in writing and signed by each party's authorized representative.
Standard Contractual Clauses and International Data Transfer Addendum, Schedules 1 and 2
By executing an Order, unless otherwise agreed upon in writing, Customer is assumed to have executed the SCCs as set out in their whole on our website, which will have legally binding force between the parties. There is a link to the SCCs on this page. The following Appendices are incorporated into the SCCs by reference.
Attachment - ANNEX I to SCC 2021
DESCRIPTION OF TRANSFERS
The DPA incorporates this Appendix - Annex I (or "Annex I"). All capitalized words not defined below will have the meanings specified in the DPA.
1. LIST OF PARTIES
The Data Exporter is (i) the company that has executed the Standard Contractual Clauses as a Data Exporter, and (ii) all Customer Affiliates (as defined in the Agreement) based in the European Economic Area (EEA), United Kingdom (UK), or Switzerland that export Customer Personal Data pursuant to the Agreement.
Userpeek and its Affiliates are the Data Importer. Under the terms of the Agreement, the Data Importer offers the Userpeek Platform and Services to the Data Exporter, during which it processes some Customer Personal Data as a Processor.
2. DESCRIPTION OF TRANSFER
Nature of the Operation
As a Processor, the Data Importer offers the Platform and Services to the Data Exporter, during which it processes specific Personal Data. Userpeek Platform is a software platform that allows its clients to create test plans and identify target audiences in order to gather feedback on any brand, design, content, or service.
On the Userpeek Platform, the data exporter's data may be hosted and kept in a third-party data center (AWS) in the United States, Germany, Sweden, Singapore, Japan, or Australia.
Object(s) of data transmission and subsequent processing
The Data Importer processes Customer Personal Data in order to provide services to the Data Exporter, including distributing and making available to the Data Exporter the records, recordings, and analysis from interviews, surveys, and sessions performed on the Userpeek Platform.
Duration of processing, the retention duration for personal data, and/or the criteria used to calculate that period
Customer Data is stored for as long as the data importer offers the Services to the data exporter, or until the Customer requests that the data be destroyed. In the absence of a deletion request from Customer, Userpeek may erase Customer Personal Data 12 months after the conclusion of the provision of Services, unless compelled by law to preserve a copy of Customer Personal Data.
The transmitted Customer Personal Data pertain to the following types of data subjects:
Tests and Sessions Data Categories Testers
The transmitted Customer Personal Data includes the following kinds of information:
Personal Data or other personally identifiable information contained in Customer's replies to Test Tasks and Questions
Sessions intended to capture Face Recordings.
Screen and audio recordings may mistakenly collect Personal Data or other personally identifying information.
Customer may request special categories of information in a Test, such as information about children or an individual's racial or ethnic origin, health, sexual orientation, political opinions, religious beliefs, criminal background or alleged offenses, or trade union membership, provided Customer complies with applicable laws and the Agreement.
Transferring on a regular basis (e.g. whether the data is transferred on a one-off or continuous basis)
The transmission of data will be ongoing.
For transfers to (sub-)processors, further describe the processing's subject matter, type, and duration.
Userpeek and its Subprocessors may need access to or handle the personal data supplied by the data exporter into the Userpeek Platform in order to offer the subscription service as part of the scope of delivering the Userpeek Platform and Services, including technical support. Appendix - Annex III contains a list of Subprocessors utilized by Userpeek as of the effective date of this DPA. The most recent list of Userpeek's Subprocessors may be found at https://www.userpeek.com/subprocessors.
3. CAPABLE SUPERVISING AUTHORITY
The governing body of the Data Exporter.
Technical and Organizational Security Measures - Annex II to SCC 2021
This Appendix - Annex II (or "Annex II") is included into the DPA and outlines the parties' technological, organizational, and physical security measures. All defined words that are not defined in this section will have the meanings specified in the DPA.
Information Security at Userpeek is centrally controlled by its Information Security team. Among the tasks of the Userpeek Information Security team are the management of information security across all worldwide locations, all Userpeek products and services, and the involvement of Userpeek Subprocessors.
Userpeek shall comply with the following in addition to any data security criteria specified in the DPA:
1. Security Administration
Userpeek's executive team approves and formally reviews its security policy annually. It mandates that all workers get training on their obligations to safeguard personal and private information. Training is provided to new hires during orientation. All personnel are expected to get annual training updates.
a. Client and Tester access is restricted by the use of complex passwords. Passwords must be at least 6 characters long and include at least one capital letter, one lowercase letter, and one number. Additionally, they may contain special characters.
b. Users are automatically logged out of the system during periods of inactivity. The precise duration is customizable per account to fulfill the needs of each individual consumer.
c. When creating new accounts, users generate their own safe passwords. When existing users establish accounts for new users, the new users are emailed an invitation and requested to set their own safe passwords.
d. Lost passwords cannot be recovered, however users can reset their passwords by responding to an email sent to their account's email address.
e. Accounts are locked for 30 minutes if a user enters an incorrect password 10 times within 30 minutes.
3. Multi-factor authentication (MFA) for internal accounts
Userpeek mandates MFA for all internal email and development accounts.
4. Hosting of Data and Encryption
a. Amazon Web Services hosts all sensitive and proprietary data (including video files, Customer and Tester data) (AWS). AWS is a certified SOC 2 and ISO 27017 hosting provider.
b. All data is encrypted both at rest and in motion. The data is stored securely with 256-bit AES encryption. AWS Key Management Services administers encryption keys.
c. All transmissions to and from the data center are encrypted (TLS 1.2 or greater required).
6. Vulnerability Assessment
Userpeek conducts vulnerability checks on infrastructure devices, servers, and user desktops on a quarterly basis. Cloud infrastructure, virtual instances, web apps, and production code modifications are scanned for vulnerabilities to guarantee that vulnerabilities are swiftly found and remedied.
7. Hosting for Prototypes, Images, and Assets
Userpeek is capable of hosting test-related web assets. The stored materials are secured and can only be accessed over SSL. These are stored securely in our AWS infrastructure and are only available via secure connections that are inactive unless a test is in process and the designated, active Tester uses them.
8. Data Lifecycle Management
One year after the conclusion of the supply of Services, unless Userpeek is required by law to preserve a copy of Customer Personal Data, Userpeek may erase Customer Personal Data. Userpeek shall erase Customer's Personal Information upon request.
9. Personal Safety
a. Userpeek does background checks on all employees, contractors, and consulting firms, and does not recruit anyone with questionable backgrounds.
b. Access credentials are terminated or updated within 24 hours of an employee's separation from the firm or a change in their business function.
10. Clean Desk Policy
Employees are required under Userpeek's clean desk policy to store any private material in a secure area and never leave it unattended in their workstations.
11, Security Procedures
All Userpeek office locations are protected by keycard locks allocated to specific personnel and continuously monitored by surveillance cameras. At all times, visitors must sign in and be guided. Annual physical security audits are conducted.
12. System Development
a. Userpeek constructs its platform utilizing an agile development technique that routinely delivers modest modifications following peer review and testing.
b. Every update that is made is initially tested on a local system. Changes are approved by peers before being tested on non-production systems. Changes are deployed to the production system after passing all tests and receiving peer approval. Each modification is analyzed by tools for static analysis, which seek for known vulnerabilities in all utilized components. Tests are conducted on other systems (made in the same manner) utilizing seed data or disguised production data so that the production system is not compromised.
c. Deployment is controlled by automated tools. The scripts that operate the tools are likewise subject to version control.
d. Nightly checks are performed on virtual instances, and important software patches are deployed as required.
e. Customer information is not utilized outside of production. Exceptions are made for debugging situations when genuine data is necessary, and even then, the data is initially obscured to protect the disclosure of Customers' and Testers' personal information.
13. Security of Networks and Devices
a. Userpeek utilizes firewalls to safeguard our internal systems. Access to administrative and hosting systems requires a secure VPN login.
b. Wireless connectivity within the site is restricted by requiring corporate credentials. Other computers and mobile devices utilize an alternate access point outside of the firewall.
c. Company-owned computers are monitored and updated with the most recent operating system, anti-virus, and productivity applications.d.
d. Bring your own device (BYOD) is permitted in certain instances, and computers used for business purposes must fulfill the aforementioned company criteria.
e. All production systems are backed up to geographically dispersed AWS data centers and encrypted for storage.
14. Security Assurance
Userpeek needs a yearly, independent security assessment of both its internal systems and platform. Copies of the most current audit reports are available upon request.
System activity is logged centrally. Logs are stored for a minimum of 12 months in a manner that makes tampering very impossible.
16. Intrusion Detection, Preventative Measures, and Incident Management
System access is tracked and monitored. Threat detection software is installed on each instance of the VPC and generates warnings when it detects anomalous behavior. Customized surveillance systems seek for additional anomalous behavior. Engineers examine alerts in accordance with an incident response strategy. The strategy is meant to escalate events successfully to the appropriate level of authority, guaranteeing speedy repairs that are followed by a root cause study and action plan to prevent repeat issues. Annually, the incident response strategy is evaluated.
17. Web Application Firewall (WAF)
Userpeek leverages a WAF deployed on the AWS WAF infrastructure to thwart typical types of attacks. AWS changes the managed rules automatically when new vulnerabilities and malicious actors arise.
18. Data Loss Prevention (DLP)
Userpeek uses DLP equipment on workplace workstations in order to monitor and report odd activities. The deployment of additional DLP tools in mission-critical cloud infrastructure.
Userpeek relies on a variety of third parties to provide its comprehensive platform of services. Most individuals do not have access to sensitive information. Those that do are subject to yearly security evaluations and are contractually expected to offer a security posture at least as strong as what we provide ourselves.
20. Business Continuity
Business continuity is addressed in the security policy of Userpeek. The platform was created to be resilient and recoverable.
The platform is hosted on numerous AWS servers with options for load balancing and failover.
Instances can be generated on demand if one fails.
Videos are saved in S3 buckets that are journaled.
Videos are kept in a minimum of two geographically dispersed data centers.
Other data is kept in RDS with daily snapshots and continuous backups to alternative data centers.
To provide redundancy in the event of a catastrophic incident, data centers are situated in geographically varied areas.
ANNEX III appendix to SCC 2021
Subcontractor and Subsidiary
Annex III of this Appendix is included into the DPA.
You may view the whole list of subprocessors at https://www.userpeek.com/subprocessors.
167 Madison Avenue
Ste 205 #174
New York City, NY 10016
Last updated on 18 October 2022