Data Processing Agreement

This agreement

This Data Processing Agreement and its Annexes (“DPA”) form part of the Agreement entered into by Customer and Attest Technologies Limited (“Attest”) and sets out the way in which personal data shall be processed under the Agreement. Any capitalised terms used but not defined in this DPA shall have the meaning set out in the Agreement. This DPA is entered into on the day that the Agreement is signed by and between Customer and Attest. 

  1. In this Clause, the following terms shall have the following meanings:
    1. controller“, “processor“, “data subject“, “personal data” and “processing” (and “process“) shall have the meanings given in EU/UK Data Protection Law;
    2. Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, EU/UK Data Protection Law;
    3. “Customer Contact Data” means data that Attest will process in accordance with your contract including your users’ names, business email addresses and other information as set out Attest’s Privacy Policy here
    4. EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time; 
    5. “Video Respondent Personal Data” means video respondents’ personal data that is collected, processed, or transferred by and/or to the Customer through the Attest Service. This personal data shall be limited to a respondent’s video images, identification number and IP address only.  
    6. Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and 
    7. Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum“).  
  2. Relationship of the parties: in respect of Customer Contact Data, both parties shall be independent controllers and Attest shall process Customer Contact Data for the purpose of providing the Attest Service. In respect of Video Respondent Personal Data, the Customer shall be the controller and Attest shall be a processor. Each party shall comply with all obligations that apply to it under Applicable Data Protection Law. Both parties acknowledge and agree that Video Respondent Data shall be used by Customer for market research purposes only and shall not be used for marketing purposes.  
  3. Prohibited data: The Parties agree that the Attest Service is not intended for the processing of special category or sensitive data, or any personal data other than Video Respondent Personal Data. The Customer shall not ask any survey respondents to share any other personally identifiable information or any special category data in survey responses.
  4. Purpose limitation: Customer shall use Video Respondent Personal Data for market research purposes only. Attest shall process the Customer Contact Data and Video Respondent Personal Data (together, “Data”) for the purposes described in Annex I and strictly in accordance with the documented instructions of the Customer (the “Permitted Purpose“), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law.  In no event shall Attest process the Data for its own purposes or those of any third party. Attest shall immediately inform the Customer if it becomes aware that such processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor the Customer’s compliance with Applicable Data Protection Law).
  5. Restricted transfers:  The parties agree that when Data that is collected, processed, or transferred by and/or to the Customer is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
    1. in relation to Customer Contact Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
      1. Module One will apply;
      2. in Clause 7, the optional docking clause will apply;
      3. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Schedule 1 Clause 9 of these Terms;
      4. in Clause 11, the optional language will not apply;
      5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
      6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
      7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to these Terms;
      8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to these Terms; and
    2. in relation to Video Respondent Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
      1. in Clause 7, the optional docking clause will apply;
      2. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Schedule 1 Clause 9 of these Terms;
      3. in Clause 11, the optional language will not apply;
      4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
      5. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
      6. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to these Terms;
      7. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to these Terms; and
    3. in relation to Data that is protected by the UK GDPR, the UK Addendum will apply completed as follows:
      1. The EU SCCs, completed as set out above in clauses 5.1 and 5.2 of this DPA shall also apply to transfers of such Data, subject to sub-clause (b) below;
      2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options “neither party” shall be deemed checked in Table 4.  The start date of the UK Addendum (as set out in Table 1) shall be the date the Agreement is signed by both parties.   
    4. in the event that any provision of the Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
  1. Onward transfers:  Attest shall not participate in (nor permit any subprocessor to participate in) any other Restricted Transfers of Data (whether as an exporter or an importer of the Data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Law and pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Data.  
  2. Confidentiality of processing:  Attest shall ensure that any person that it authorises to process the Data (including Attest’s staff, agents and subprocessors) (an “Authorised Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Attest shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
  3. SecurityAttest shall implement appropriate technical and organisational measures to protect the Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a “Security Incident“).  Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 
  4. Subprocessing:  The Customer consents to Attest engaging third party subprocessors to process the Data provided that: (i) Attest provides at least 30 days’ prior notice of the addition or removal of any subprocessor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal at the following URL: https://www.askattest.com/legal/privacy-policy; (ii) Attest imposes data protection terms on any subprocessor it appoints that protect the Data, in substance, to the same standard provided for by this Clause and grant the Customer, as a third party beneficiary, the right to terminate the subcontract and to instruct the subprocessor to erase or return the Data in the event that Attest has factually disappeared, ceased to exist in law or has become insolvent; and (iii) Attest remains fully liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.    
  5. Cooperation and data subjects’ rights:  Attest shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the Customer at its own expense to enable the Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Attest, Attest shall promptly inform the Customer providing full details of the same.
  6. Data Protection Impact Assessment:  Attest shall provide the Customer with all such reasonable and timely assistance as the Customer may require in order to enable it conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist the Customer to consult with its relevant data protection authority.
  7. Security incidents:  Upon becoming aware of a Security Incident, Attest shall inform the Customer without undue delay (and, in any event, within 72 hours) and shall provide all such timely information and cooperation as the Customer may require in order for the Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.  Attest shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep the Customer informed of all developments in connection with the Security Incident.
  8. Deletion or return of Data:  Upon termination or expiry of the Agreement, Attest shall (at the Customer’s election) destroy or return to the Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing).  This requirement shall not apply to the extent that Attest is required by any Applicable Data Protection Law to retain some or all of the Data, in which event Attest shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.

Annex I

Data Processing Description

This Annex I forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller. 

A. LIST OF PARTIES

Controller(s): 

1.Name:The Customer’s name as set out in the Customer’s Order Form.
Address:The Customer’s registered address as set out in the Customer’s Order Form.
Contact person’s name, position and contact details:As set out in the Customer’s Order Form.
Activities relevant to the data transferred under these Clauses:The provision of the Attest Services by Attest to the Customer.
Signature and date:  This Data Processing Agreement shall be deemed executed on the date the Agreement is signed by both parties.
Role (controller/processor):Module 1 Controller in respect of Customer Contact Data. Module 4 Processor in respect of Video Respondent Personal Data.

Processor: 

1.Name:Attest as described in the Agreement. 
Address:Attest’s address as specified in the Agreement.
Contact person’s name, position and contact details:Legal [email protected]
Activities relevant to the data transferred under these Clauses:The provision of the Attest Services by Attest to the Customer.
Signature and date:  This Data Processing Agreement shall be deemed executed on the date the Agreement is signed by both parties.
Role (controller/processor):Module 1 Controller in respect of Customer Contact Data. Module 4 Controller in respect of Video Respondent Personal Data. 

В. Description of Transfer 

Categories of data subjects whose personal data is transferred:Customer Contact Data: Customer’s Employees.
Categories of personal data transferred:Name, work address, email address, business telephone number and work title. 
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):Continuous for the duration of the Agreement.
Nature of the processing:Processing by Attest for the provision of the Attest Services to the Customer pursuant to the Agreement.
Purpose(s) of the data transfer and further processing:Providing the Attest Service.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:For the duration of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: N/A.
Categories of data subjects whose personal data is transferred:Video Respondent Personal Data: Video respondents.
Categories of personal data:Video images of respondents, respondents’ IP address and respondents’ identification number.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):Continuous for the duration of the Agreement.
Nature of the processing:Processing by Attest for the provision of the Attest Services to the Customer pursuant to the Agreement.
Purpose(s) of the data transfer and further processing:Attest will process this data in order to facilitate the market research requested by Customer and deliver the video results of said research to the Customer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:For the duration of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: N/A.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs.Where the UK GDPR applies, the UK Information Commissioner’s Office.

Annex II

Technical and Organisational Security Measures

Description of the technical and organisational measures implemented by the processor to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

MeasureDescription
Measures of encryption of dataAll data is encrypted at rest. We use industry standard AES-256 encryption.
All data in transit is encrypted using TLS 1.2. 
All of our web applications enforce the use of HTTPS.
All database data and backups are encrypted. 
Measures for ensuring physical security of locations at which personal data are processedOur technical infrastructure, including databases, is hosted on Amazon Web Services (‘AWS’), which means we inherit the robust security structure and mechanisms that are maintained by AWS. You can read about AWS compliance at https://aws.amazon.com/compliance/programs/
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems, data and services and managing incidentsAll Attest employees and contractors are required to sign standardised employment or contractor agreements prior to their start date, which contain detailed confidentiality provisions.All Attest employees complete mandatory training, including data protection and cybersecurity training.Our databases are backed up daily and stored for two weeks.
Our Kafka cluster is backed up to Amazon S3 as soon as new data is available.
We have a documented incident response plan that would be followed in the case of a technical incident, which ensures that a team involving both a legal representative and customer representative are involved from the beginning to manage communications and notifications. Where the issue is one that may have an impact on customers, customers would be notified.
Measures for user identification and authorisationCustomers: Users are authenticated via username and password combination. These are checked against our own credential store which is stored in our database. We have applied a secure password policy for our customers, which is in accordance with the National Institute of Standards and Technology (NIST) and any new passwords are automatically cross-checked against a database of compromised passwords before they’re accepted. Customers are also able to set up 2-step verification on their accounts: https://intercom.help/attest/en/articles/4859091-log-in-and-2-step-verification.

Attest Employees: All systems used by Attest employees are configured with SAML login where permitted, backed by their email account which is subject to strict password policies. Access to all systems and email accounts are removed on notice of termination or the employees’ last day.
Measures for the protection of data during transmissionAll data in transit is encrypted using Transport Layer Security (TLS 1.2).
Measures for the protection of data during storageData is stored in our database services which are managed by AWS and located in Dublin, Ireland. Data storage on local machines is not permitted.
Measures for internal IT and IT security governance and managementAttest has an Information Security Policy and related documentation which is managed by our IT Manager and Legal Team. 
Measures for ensuring data minimisationAttest only collects the minimum personal data required for the purpose of the processing.Attest also completes detailed reviews of any new suppliers and/or any processing activities by third parties to ensure that only minimal data is processed.
Measures for ensuring accountabilityData protection impact assessments and privacy reviews are completed by the Attest Legal Team when new systems which process personal data are introduced.
Measures for allowing data portability and ensuring erasureAttest allows customers to export their survey responses from the Attest platform during the course of a customer’s subscription and encourages customers to download their survey data on an ongoing basis. Attest also has a process that is managed by the Attest Legal Team which allows data subjects to exercise their privacy rights, as set out in Attest’s privacy policy.