This Data Processing Agreement ("Agreement") forms part of the Contract for Services under the BetterFeedback Terms of Service (the "Principal Agreement"). This Agreement is an amendment to the Principal Agreement and becomes effective upon its incorporation into the Principal Agreement, as specified therein or through an executed amendment. Upon incorporation, this Agreement will form a part of the Principal Agreement.
The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined herein shall have the meaning as set forth in the Principal Agreement.
- (A) Your company acts as a Data Controller (the "Controller").
- (B) Your company wishes to subcontract certain Services (as defined below), which involve the processing of personal data, to BetterFeedback, acting as a Data Processor (the "Processor").
- (C) The Parties seek to implement a data processing agreement that complies with the requirements of applicable U.S. laws and regulations concerning data privacy and security.
- (D) The Parties wish to lay down their rights and obligations under U.S. law.
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meanings:
- "Company Personal Data" means any Personal Data processed by a Contracted Processor on Controller's behalf pursuant to or in connection with the Principal Agreement.
- "Contracted Processor" means a Subprocessor.
- "Data Protection Laws" means applicable U.S. federal and state data privacy and security laws and regulations.
- "Services" means the services provided by BetterFeedback as described in the Principal Agreement.
- "Subprocessor" means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller in connection with the Agreement.
Processor shall:
- Comply with all applicable Data Protection Laws in the processing of Company Personal Data; and
- Not process Company Personal Data other than on the Controller's documented instructions.
The Controller instructs the Processor to process Company Personal Data to provide the Services and related technical support.
The Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data as necessary for the purposes of the Principal Agreement. All such individuals shall be subject to confidentiality obligations.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing, as well as the potential risks to the rights and freedoms of individuals.
The Processor shall not appoint or disclose any Company Personal Data to any Subprocessor without the prior written authorization of the Controller.
Taking into account the nature of the processing, the Processor shall assist the Controller in responding to requests to exercise Data Subject rights under applicable Data Protection Laws.
The Processor shall:
- Promptly notify the Controller if it receives a request from a Data Subject under applicable Data Protection Laws regarding Company Personal Data; and
- Not respond to the request except on documented instructions from the Controller or as required by applicable law.
The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data and provide sufficient information for the Controller to meet its obligations under applicable Data Protection Laws.
Upon termination of the Agreement, the Processor shall delete or return all Company Personal Data to the Controller, unless retention is required by applicable law.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and allow for audits as required by applicable law.
This Agreement is governed by and construed in accordance with the laws of the State of Delaware, USA, and applicable federal laws of the United States.
Any disputes arising from this Agreement shall be resolved in the courts of Delaware, USA.