Askable Data Processing Agreement

This Data Processing Agreement including its Schedules, (“DPA”) forms part of the Askable Software Services Agreement or other written agreement between Askable and Customer for the purchase of  (a) Askable-branded product offerings  (b) research services provided remotely via the Internet and (c) any support services including access to Askable’s help desk and to updates, upgrades, patches and bug fixes (“Services”), (the “Agreement”) to reflect the Parties agreement with regard to the Processing of Personal Data. 

In the course of providing the Services to the Customer pursuant to the Agreement, Askable may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data. 

1. DEFINITIONS

1. “Askable” means the applicable Askable Group member that entered into the Askable Software Services Agreement.
2. “Askable Group” means collectively, Askable Pty Limited and its Affiliates. 
3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 
4. “Customer” means the entity that executed the Agreement. 
5. “Customer Data” means what is defined as in the Agreement provided that such data is electronic data submitted by or for the Customer to the services. This DPA does not apply to Content or Non-Askable Applications as defined in the agreement. 
6. “Data Protection Law” means all data protection laws and regulations that apply to the Processing of Personal Data by Askable under the Agreement, which may include, without limitation, GDPR. 
7. “Data Subject” means the identified or identifiable person to whom Personal Data relates.  
8. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (EU GDPR) and the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR). 
9. “Personal Data” means any data that the Customer submits using the Services for Askable to Process on Customer’s behalf that is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law. 
10. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. 
11. “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
12. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA. 
13. “Public Authority” means a government agency or law enforcement authority. 
14. “Security Addendum” means the Security Addendum accessible at https://www.askable.com/security-addendum.
15. “Standard Contractual Clauses” means Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA and International Data Transfer Addendum issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.
16. “Sub-processor” means any Processor engaged by Askable Group and listed at https://trust.askable.com/subprocessors. 

‍

2. DATA PROCESSING AND PROTECTION

This DPA applies when Askable Processes Customer Data for which Askable acts as a Processor. This DPA does not apply to where Askable is the Controller.

1. Customer’s Processing. Customer as Controller or Processor shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws including any applicable requirements to provide notice to Data Subjects of the use of Askable as Processor and/or obtaining the necessary consents. Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws.
2. Askable’s Processing. Askable will Process Personal Data only (1) in a manner consistent with documented instructions from Customer, including (i) to provide the Services, (ii) as permitted under the Agreement, including as specified in Schedule 1 of this DPA and (iii) consistent with other reasonable instructions of Customer, and (2) with prior notice (unless notice is legally prohibited), as required by applicable law. 
3. Details of Processing. The purpose for Processing of Personal Data by Askable is the performance of the Services pursuant to the Agreement. The duration of the Processing, nature and purpose of Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 of this DPA. 
4. Confidentiality. Askable will subject persons authorized by Askable to Process any Personal Data to appropriate confidentiality obligations. 
5. Security. Askable will protect Personal Data in accordance with requirements under Data Protection Law, including implementing appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breach in accordance with the Security Addendum. 
6. Deletion or Return of Personal Data. At the election of the Customer, Askable will delete or return (or will enable Customer to delete or retrieve) all Personal Data at the end of the provision of Services (unless required by law to store Personal Data). 
7. Customer Obligations. Askable may suspend Processing based upon Customer instructions that Askable reasonably considers violates Data Protection Law. Subject to the co-operation of Askable as specified in this DPA, Customer will be solely responsible for safeguarding the rights of Data Subjects, including determining the adequacy of the security measures in relation to Personal Data. 

3. DATA SUBJECT RIGHTS

1. ‍Required Assistance. Taking into account the nature of Processing, Askable shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. 
2. ‍Data Subject Request. Askable shall, to the extent legally permitted, promptly notify Customer of any compliant, dispute or request it has received from a Data Subject such as Data Subject’s right of access, right to rectification, restriction of Processing, erasure or right to be forgotten, data portability, object to the Processing, or its right not to be subject to an automated decision making, such request being a “Data Subject Request”. Except to the extent the request relates to Personal Data processed by Askable as Controller, Askable shall not respond to a Data Subject Request itself unless that Customer authorizes Askable to redirect the Data Subject Request as necessary to allow Customer to respond directly. 
3. ‍Data Protectional Impact Assessment Assistance. Taking into account the nature of Askable’s Processing of Personal Data and the information available to Askable, Askable will provide reasonable assistance to Customer as required for Customer to comply with its obligations to conduct data protection impact assessments if required under Data Protection Law in connection with Askable’s Processing of Personal Data under the Agreement. 
4. ‍Personal Data Breach Notice and Assistance. Askable will notify Customer without undue delay after becoming aware of a Personal Data Breach. Taking into account the nature of Processing and the information available to Askable, Askable will provide reasonable assistance to Customer to satisfy any notification obligations required under Data Protection Law related to any Personal Data Breach. Askable shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as Askable deems necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within Askable’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer. 

4. SECURITY AND PRIVACY AUDITS

1. Upon Customer’s request not more than once annually, Askable will make available to Customer all information necessary to demonstrate compliance with its obligations under this DPA and allow for and contribute to audits as follows. Askable will deliver under non-disclosure obligations a copy of Askable’s most recent SOC2 Type 2 audit report. To the extent Customer’s information security questionnaire requests additional information than that is included in the Askable Consensus Assessment Initiative Questionnaire (Askable CAIQ)) , Askable will provide assistance to ensure the Customer can comply with its obligations. 
2. Subject to payment of applicable additional fees, and to the extent necessary to address issues not covered in SOC2 Type 2 audit report, the Askable CAIQ, and additional information previously provided, Customer or a third party auditor reasonably acceptable to Askable may conduct an audit of records of Askable’s security and privacy practices as required by a Public Authority or Data Protection Law. Such audit shall (i) be scheduled on at least 45 days advance notice for a mutually agreed duration at a mutually agreed date and time; (ii) occur during Askable’s normal business hours; (iii) be permitted only to the extent required to assess Askable’s compliance with this DPA; (iv) comply with the policies, procedures and other restrictions reasonably imposed by Askable and, if applicable, the Sub-processor and (v) not unreasonably interfere with Askable’s business activities. A third party auditor cannot be a competitor of Askable. 
3. Customer and its third party auditor will not be entitled to access information subject to third-party confidentiality obligations. Customer will provide written communication of any audit findings to Askable, and the results of the audit will be the confidential information of Askable. 

5. SUB-PROCESSORS

1. Appointment of Sub-processor. Customer acknowledges and agrees that (a) Askable’s Affiliates may be retained as Sub-processors; and (b) Askable may engage third-party Sub-processors to provide the Services. Askable has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in the agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. 
2. Current list. Customer may view the list of current Sub-processors at the following link: trust.askable.com/subprocessors. Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Personal Data. 
3. Askable will notify of any intended changes concerning addition or replacement of its Sub-processors via email to subscribed Customers and provide the Customer with the opportunity to object to such changes. If Customer reasonably objects to a Sub-processor, Customer must inform Askable within ten (10) days. If Askable is unable to resolve Customer’s obligation, either party may, upon notice and without liability, terminate the Services that use the objected-to Sub-processor. 
4. Askable shall remain liable to the Customer for a Sub-processor’s failure to fulfill its data protection obligations.  
   

6. MISCELLANEOUS  ‍

1. Each party’s aggregate liability under this DPA will not exceed the limitation of liability in the applicable Askable Software Services Agreement. 
2. If there is a conflict, this DPA will prevail over the Askable Software Services Agreement with respect to the subject matter of this DPA. 
3. Capitalized terms not defined in this DPA have the same meaning as in the Askable Software Services Agreement. 
4. Except as otherwise stated in the Askable Software Services Agreement, this DPA will automatically terminate upon the termination or expiration of the Askable Software Services Agreement.

EXECUTION OF DPA 

For the avoidance of doubt, signature of the Agreement shall be deemed to constitute signature and acceptance of Schedule 2.

‍

‍Schedule 1 – Data Transfers

Askable shall not transfer Personal Data outside the United Kingdom or European Economic Area except on the documented instructions of the Controller, which may include instructions given by way of this Agreement (including any approved Sub-processors listed in the Annexes) and intra-group transfers between the Controller's group companies, and only where such transfer is made in compliance with applicable Data Protection Law, including where appropriate safeguards and a recognised transfer mechanism are in place.

The transfer mechanisms outlined below are applicable when a transfer of Personal Data between the Customer and the contracting Askable Group Entity is subject to the GDPR and would constitute a restricted transfer to a third country not covered by an adequacy decision adopted by the European Commission under Article 45(3) GDPR, or by adequacy regulations made by the UK Secretary of State under section 17A of the Data Protection Act 2018.

For each applicable version of the Standard Contractual Clauses between Askable and Customer contemplated in this Schedule, Customer and Askable are deemed to have executed the Standard Contractual Clauses as of the effective date of this DPA.
In the event of any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail.

Transfers subject to EU GDPR

For the purposes of Standard Contractual Clause Module 2, Customer is the data exporter and the Askable entity that is party to this DPA  is the data importer and the Parties agree to the following. Where this section 2 does not explicitly mention Standard Contractual Clauses Module 2 or Standard Contractual Clauses Module 3 it applies to both.

1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference.

2. Docking Clause. Clause 7 does not apply. 

3. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Askable to Customer upon Customer’s written request. 

4. Security of Processing. For the purposes of clause 8.6(a), Customer is responsible for making an independent determination as to whether the technical and organizational measures set forth in the Security Addendum meet Customer’s requirements and agrees the security measures and policies implemented and maintained by Askable provide a level of security appropriate to the risk with respect to Personal Data. For the purposes of clause 8.6(c), Personal Data Breaches will be handled in accordance with Section 3(d) of this DPA. 

5. Audits of SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with section 4 of this DPA. 

6. General Authorization of Sub-processors. Option 2 applies, with notice period as set out in this DPA. Askable shall be authorized to engage, change and modify Sub-processors in accordance with this DPA. 

7. Complaints. For the purposes of clause 11, and subject to Section 3 of this DPA, Askable shall inform data subjects on its website of a contact point authorized to handle complaints. The optional language does not apply. 

8. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated the governing law in the Agreement. If the Agreement does not designate an EU Member State law, the Standard Contractual Clauses will be governed by the laws of Ireland.

9. Choice of Forum. The courts under clause 18 shall be Ireland. 

10. Notification of Government Access Request. For the purposes of clause 15(1)(a), Askable shall notify Customer only and not the Data Subject in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary. 

11. Appendix.‍

The Appendix shall be completed as follows:

1. The contents of Section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses. 
2. The contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to the Standard Contractual Clauses
3. The contents of section 10 of Schedule 2 shall form Annex I.C to the Standard Contractual Clauses
4. The contents of section 11 of Section 2 to this Exhibit shall form Annex II to the Standard Contractual Clauses. 

Transfers subject to UK GDPR

For data transfers governed by UK Data Protection Laws, the Mandatory Clauses of the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, the text of which is available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (International Data Transfer Addendum) shall apply. The information required for Tables 1 to 3 of Part One of the International Data Transfer Addendum is set out in Schedule 2 of this DPA (as applicable). For the purposes of Table 4 of Part One of the International Data Transfer Addendum, neither party may end the International Data Transfer Addendum when it changes.

‍‍

Schedule 2 – Description of Processing/Transfer

1. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]. 

Name: as specified in the Agreement (Customer).

Address: as specified in the Agreement.

Contact person’s name, position and contact details: As specified in the Agreement.

Activities relevant to the data transferred under these Clauses: Performance of the services pursuant to the Agreement and as further described in the Documentation. 

Signature and date: as specified in the Agreement. 

Role: Controller

‍

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: The Askable entity that is a party to the DPA, as identified in the Agreement.

Address: As set out in the Agreement.

Contact person’s name, position and contact details: DPO, privacy@askable.com 

Activities relevant to the data transferred under these Clauses: Performance of the services pursuant to the Agreement and as further described in the Documentation.

Signature and date: as specified in the Agreement.

Role: Processor

‍

2. Categories of data subjects whose personal data is transferred

Customer may submit Personal Data to the Services which may include but is not limited to Personal Data relating to the following categories of data subjects:

1. Participants and customers of the Customer
2. Employees, agents, Researchers or agents of the Customer 
3. Customer’s users authorized by Customer to use the Services

3. Categories of personal data transferred

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion and which may include but is not limited the following categories of Personal Data:

1. First and last name
2. ID Data
3. Contact information (company, email, phone, country)
4. Professional life data
5. Communications with Participants, Researchers and Customer
6. Audio, video and transcript recording
7. Usage data
8. Feedback and opinions 
9. Demographic information

4. Sensitive Data Transferred (If Applicable)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Customer may submit special categories of data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The applicable security measures are described under the Security Addendum available at askable.com/legal/security-addendum. 

5. Frequency of the Transfer

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis depending on the use of the Services by the Customer. 

6. Nature of the processing

The nature of the Processing is the performance of the Services pursuant to the Agreement. 

7. Purpose(s) of the data transfer and further processing

Askable will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services. 

8. Duration of Processing

Subject to Section 2.f of this DPA, Askable will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing. 

9. Sub-processor Transfers

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As per section 5, Sub-processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement and only for the duration of the Agreement. A list of the then-current Subprocessors is available at https://trust.askable.com/subprocessors 

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of the Data Exporter.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Technical and organizational measures to secure the data are described for each Services to which the data exporter subscribes within the Security Addendum available at askable.com/legal/security-addendum.