This is an Addendum to the Askable Software Services Agreement or the applicable data processing agreement or other agreement under which Askable provides products, support or services to Customer (the “Agreement”) and identifies security policies and commitments of Askable for its Product, Support Services and Project Delivery. Askable’s privacy policy is separate from this Addendum and is available for reference at askable.com/legal/privacy-policy.
Askable may update this Addendum from time to time to document changes in security policies for the Products and/or Support Services in accordance with Section 20. Change Management below. Askable will, upon written request, certify its compliance with this Addendum.
Askable has a risk-based Integrated Management System (“IMS”) for information security, artificial intelligence and privacy management designed to enable Support Services to be delivered in a secure manager and designed to protect Products and related Askable systems from threats and data loss. This Addendum describes the controls of the IMS as of the effective date of the Addendum. Askable regularly assesses and makes improvements to the IMS with reference to changing security threats, regulatory requirements and industry standards.
Askable conducts, or retains independent third parties to conduct, information security risk assessments at least annually and whenever there is a material change in Askable’s business or technology practices that may impact the privacy, confidentiality, security, integrity, or availability of Customer Data. The risk assessments includes identifying reasonably foreseeable internal and external risks to privacy, confidentiality, security, integrity, or availability; assessing the likelihood of, and potential damage that can be caused by, identified risks; assessing the adequacy of personnel training concerning the IMS; updating the IMS to limit and mitigate identified risks as appropriate and to address material changes in relevant technology, business practices, and personal information practices and regulations; and assessing whether the IMS is operating in a manner reasonably calculated to prevent and mitigate unauthorised access to or disclosures of Customer Data (“Security Incidents”).
Askable adopts best practices from a number of standards, including, but not restricted to ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019 and Cyber Essentials. Askable receives annual audits for compliance with SOC 2 Type 2 ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019 and Cyber Essentials. The most recent SOC 2 Type 2 report and certifications are available on the Askable Trust Center website at trust.askable.com.
Processing and storage requirements for Customer Data on computer systems owned or licensed by Askable or its suppliers for the Products or Support Service (“Askable Systems”) are determined by the type of Askable Product or Support Service subscribed by Customer. Customer has sole responsibility for selecting Products and for designing a system of which the Product and/or any Study is a part, that complies with laws and regulations applicable to Customer’s use.
There are three categories of metadata that may be stored by Products on Askable Systems: Operational and Usage Metadata, Technical Metadata and Customer Business Metadata (collectively, “Metadata”). Metadata is not Customer Data. Operational and Usage Metadata include information extracted from service and activity logs such as connection and schedule data and information about how the Products are used. Technical Metadata includes data schemas, rules and data profile statistics, and design metadata that define processes and study blocks, such as mappings and templates, task flows. Customer Business Metadata contains information related to Customer Data, including participant classifications, study configuration and structure, research instrument formation and configuration, associated input and response data captured in connection with the configuration and administration of studies, and other study-related operational data. Customers may optionally provide feedback to automated natural language features of the Products such as Askable AI Query and Industry Stream. That feedback, including the prompts and the information, suggestions and other outputs (excluding Customer Data) to which it relates, will be used anonymously with respect to Customer and user for product usage observability and improvement.
Collection of Metadata by Products is necessary to provide the Products and cannot be disabled. This information will be used to improve the customer experience including facilitation of Support Services, deployment and usage analysis and usage suggestions.
Askable may aggregate and use Metadata to operate, improve, analyze and support the Products, for distribution in general benchmarking data and industry reports, for the development, enhancement and promotion of Askable's Products and Services and for other lawful business purposes, provided that the data (i) is combined with similar data from Askable’s other customers, (ii) does not directly or indirectly identify Customer, and (iii) does not include any Customer Confidential Information (“Aggregated Data”). Askable will implement technical safeguards and business processes that prohibit reidentification of the Aggregated Data and prevent inadvertent release of the Aggregated Data.
Askable Products may persistently store Customer Data on Askable Systems. Askable does not use or disclose Customer Data without Customer’s consent for any purpose other than that of performing its obligations in connection with this Agreement.
Askable may use one or more third-party artificial intelligence (AI) service providers (collectively, AI Providers) to deliver, enhance, or support functionality across Askable Products. These AI Providers act as subprocessors engaged by Askable to process data on its behalf. The current list of subprocessors, including AI Providers, is maintained at trust.askable.com/subprocessors.
AI Providers may support a range of capabilities, including but not limited to transcription, language processing, data analysis, summarisation, and content generation. These services operate across multiple Askable features and are not limited to any particular product, workflow, or Industry Stream. Askable may substitute or rotate between AI Providers at its discretion to maintain reliability, compliance, and service continuity. Use of AI Providers may transfer (i) technical Metadata, Customer Business Metadata and Customer Data to an instance provisioned and located in Australia.
Askable Products process Technical Metadata, Customer Business Metadata and Customer Data at a point of delivery in the geography selected by Customer, except that use of AI Providers at points of delivery outside Australia may result in transfer of Technical Metadata and Customer Business Metadata to Australia for processing.
The establishment of a Study or provision of Project Delivery may require Askable to access Customer Data. Where Askable or a Researcher needs to receive Customer Data, Customer will transmit such Customer Data via a secure method of the Customers choosing, and Askable will store such Customer Data on Askable Systems solely for the purpose of the applicable Project Delivery and shall dispose of Customer Data in accordance with the section 25. Disposition of Data.
Project Delivery may require Researchers to receive remote access to Customer’s computer systems. Customer will notify Researcher of any reasonable Customer policy or procedure required for access before Customer grants such access. Customer is responsible for implementing security measures to prevent unauthorised use and access of Customer’s computer systems and for revoking access after completion of the applicable Research Services.
Service interactions between Askable personnel and/or Researchers and Customer through virtual meetings may be recorded. Customer consents to recording. Customer is responsible for notifying Askable personnel and Researchers prior to exposure or possible exposure to personally identifiable information during virtual meeting sessions and for redirecting Askable personnel or Researchers and/or halting the session to avoid exposure.
Support Services do not require Askable to receive personal data and Askable discourages uploading of any personal data. Customer must notify Askable immediately in the event it mistakenly uploads personal data to ensure deletion from the system. Support Services may require Askable to receive Customer Data. Customer will transmit such Customer Data via intercom and Askable will store such Customer Data at an Askable Support facility in Australia solely for the duration of the applicable Support Services investigation in accordance with the section 25. Disposition of Data.
Support Services interactions between Askable personnel and Customer through virtual meetings may be recorded. Customer consents to recording and where necessary remote access to Customer’s computer systems for provision of Support Services. Customer is responsible for notifying Askable personnel prior to exposure or possible exposure of personally identifiable information during virtual meeting sessions and for redirecting Askable personnel and/or halting the session to avoid exposure.
Askable used reasonable methods to safeguard Customer Data from unauthorised access, use and loss including physical, technical and administrative safeguards. Processed Customer Data from different customers are segregated logically and/or physically. Askable may use additional measures to enhance security beyond those listed below.
Physical access to Askable locations holding Askable Systems have limited access points, which are governed by card and monitored by surveillance cameras.
Askable’s IMS limits access to Askable Systems to authorized personnel. Askable’s IMS limits access to the Product environment in which Customer Data are processed to authorized Askable Support Services personnel solely as needed to assist with a support case opened by Customer or otherwise as needed to resolve critical release or security issues. Such access is conducted solely upon notification to the Customer.
Askable’s IMS does not allow access to Customer Data except as specifically directed by Customer, provided that verbose logging enabled by Customer may include Customer Data and maybe be available in the environment accessible as specified above.
Upon Customer’s written request, Askable will promptly identify in writing all Askable personnel who have been granted access to the Customer Data as of the date of request. Access authorizations for Askable personnel are reviewed frequently and rescinded promptly upon change of roles or separation from Askable. Askable maintains logs of access by Askable personnel.
All Products are accessible to Customers through interfaces requiring authentication. Products include support for passwordless authentication or optional SSO authentication for enterprise customers user access.
Askable implements an encryption key management process. Encryption/decryption keys are managed independently of the native operating system access control system; stored with reasonable protections; protected during transmission or distribution, changed at or before they reach the end of their crypto period; and retired if Askable becomes aware that their integrity has been compromised. Askable systems housing sensitive Customer Data are encrypted at rest. All data is encrypted via TLS while in transit.
Askable Systems accessible to the Internet are protected with server hardening, patch management, and incident management. Askable Systems accessible to the Internet are protected by a second set of application firewalls. Firewall and router rules are default-deny and reviewed for unnecessary services and IP address exposures at least once per six (6) months.
Askable implements Security as a design principle. The lifecycle of product development, from secure application development training, application and code reviews, source code scans, vulnerability scans, penetration tests and other controls are implemented continuously to reduce the probability and/or impact of application vulnerabilities.
Askable determines remediation priority of vulnerabilities and schedules remediation and mitigation in accordance with Askables’ Vulnerability Management Policy.
Askable maintains access logs to the Products including date, time and User identifier. Askable can provide Customer the access logs as required to comply with governing law to assist in forensic analysis if there is a suspicion of inappropriate access. Passwords are not logged under any circumstances. User access logs are retained for a period of two (2) years.
Askable Products include configurable security controls as indicated in the corresponding Documentation, including user identifiers, controls to revoke access, and access controls.
Askable personnel that operate or support Products receive ongoing education on the importance of security, confidentiality and privacy of Customer Data, Askable policies and associated data security practices, and the risks to Askable and its customers associated with Security Incidents. Askable implements measures designed to ensure that its employees are sufficiently trained, qualified, and experienced to be able to fulfill their functions under the IMS and any other functions that might reasonably be expected to be carried out by the personnel responsible for safeguarding Customer Data.
Askable personnel receive regular training on standard operational procedures and tactics to minimize the impact of Product incidents. Such incidents are classified according to severity of impact, with high-severity incidents triggering root cause analysis and reviews to identify areas for long-term improvement.
Askable plans to enhance and maintain the Products and Support Services during the Term, including but not limited to changes in response to relevant technology and systems, unauthorized access to Customer Data, and the discovery of material privacy or security vulnerabilities. Security controls, procedures, policies and features may change or be added but will deliver a level of security protection that is not materially lower than that provided as of the effective date.
Askable maintains a change management process with separation of duties and appropriate approvals required for modification to Askable Systems, including patch management for Products.
Askable maintains a business continuity and disaster recovery plan. Policies and procedures are in place to provide Products and Support Services with minimal interruptions, including disaster recovery planning and testing capabilities, recovery site management and standard backup and recovery procedures. Askable’s IMS is designed to meet a recovery point objective of 6 hours and a recovery time objective of 10 hours.
Askable or an authorized third party performs periodic testing, including penetration testing, against Products available to the Internet. Askable personnel are responsible for scanning and monitoring system activity and have pre-defined procedures for addressing or escalating vulnerabilities and events as needed. A security incident response team, staffed by senior security and legal staff, is responsible for investigating and responding to information-security related events escalated to their attention and determining if a Security Incident has taken place. Customer and Askable share responsibility for cybersecurity of Products. Customer is responsible for acts and ommissions of Customer and Affiliates and their Users and agents that impact the cybersecurity of Customer environments, including but not limited to ingress, egress, network security and high entropy credentials.
Askable maintains cybersecurity insurance covering liability for Security Incidents. Upon written request, Askable will furnish to the Customer a certificate of insurance. In the event the policy is cancelled or modified before termination or expiration of the Agreement such that required coverage and limits are no longer met, Askable will deliver notice of such to Customer.
Pursuant to mutually agreed upon transition fees where applicable, Askable shall reasonably cooperate to support a transition of Customer Data and Customer-specific Technical and Customer Business Metadata (“Transition data”) from Products to the services of another provider or to Customer’s internal operations. Customer may submit the transition request via its customer enterprise success manager.
Some Transition Data may be exported via the standard Product user interface as described in the Documentation.
For Customers of Products domiciled in Europe: The request shall be submitted two months before the requested transition date, and Askable will provide reasonable assistance without undue delay during a transition period not to exceed a maximum of thirty (30) days, which may be extended once upon Customer written request. Transition Data will thereafter be retained and deleted as specified in section 25. Disposition of Data.below. Askable will inform Customer if the transition period is technically infeasible and provide an alternative transition period, which shall not exceed seven months. Customer will notify Askable when the transition is completed, and Customer’s subscription to the applicable Products will be deemed terminated and Customer will be notified of the termination. Askable will pass on to Customer any third party egress costs. Askable will comply with the transition period with the obligations of a provider of data processing services under the Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 (the “Data Act”) to the extent applicable to the Products, including but not limited to the obligations of articles 25(2)(a)(i-iv) and 25(2)(b) of the Data Act. If the transition results in termination of the applicable Product subscription prior to the end of its committed Term under the agreement, the fees for the remainder of the committed Term shall become due as an early termination fee. See Askable Data Processing Agreement for information required by article 28 of the Data Act.
Askable policy is to retain Customer Data and Customer-specific Metadata if not deleted earlier by the Customer and upon Customer’s notice to Askable to delete such data, within thirty (30) days after termination or expiration of Customer’s subscription to the relevant Product. Prompts and outputs (excluding Customer Data) of automated natural language features of the Products will be retained for retrieval by Customer. Metadata, derivatives of data under this Agreement and other Customer Data not specified above will be retained in accordance with law but in any event no more than seven (7) years at which time it will be permanently deidentified or deleted.
Askable will promptly comply to the extent practicable with written requests to destroy Customer data within shorter time periods than those indicated above.
Destruction of data as referenced herein includes, at minimum, secure erasure of media and secure disposal of records so that the information cannot be read or reconstructed.
.svg)
