Data Processing Agreement
Last Updated January 11, 2024
This Data Processing Agreement (“DPA”) is governed by and hereby attached to the Master Service Agreement or any other agreement (“Agreement”) executed by and between Wizer Feeback Ltd. and its subsidiaries and affiliates (collectively “Wizer” or “Company”), and a customer (“Customer”). Customer and Wizer may be collectively referred as the “parties”, and individually as a “party”. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
WHEREAS, Wizer is the developer and operator of proprietary intelligent automated research platform and digital research wizard (“Services”);
WHEREAS, the Services may require Wizer to Process Personal Data (as such terms are defined below) on Customer’s behalf, which Customer discloses to Wizer only for the limited and specified purposes set forth herein, and subject to the terms and conditions of this DPA; and
WHEREAS, the parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:
- DEFINITIONS
- “Adequate Country” is a country that received an adequacy decision from the European Commission or other applicable data protection authority.
- The terms “Business Purpose“, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, , “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law, the CPA, the VCDPA and the CTDPA. The terms “Business”, “Business Purpose”, “Consumer”, “Contractor”, “Cross-contextual Advertising”, “Service Provider”, “Sale”, “Sell” and “Share”, “Targeted Advertising”, “Third Party Business”, shall have the same meaning as ascribed to them in the US Data Protection Laws. “Data Subject” shall also mean and refer to (under this DPA) a “Consumer”, as such term defined in the US Data Protection Laws, and “Personal Data” shall include “Personal Information” under this DPA.
- “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) as well as all regulations promulgated thereunder from time to time.
- “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto.
- “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.
- “Customer Data” means Customer Data (as defined in the Agreement) and any Personal Data processed by Wizer in the course of its Service provision to Customer, all as detailed in Annex I attached herein.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the US Data Protection Laws) as may be amended or superseded from time to time.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Any Personal Data Breach will comprise a Security Incident.
- “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here.
- “Swiss Data Protection Laws” or “FADP” shall mean collectively (i) the new Swiss Federal Data Protection Act; (ii) The Ordinance on the Federal Act on Data Protection; and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.
- “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.
- “US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to Wizer Processing of Customer Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, and the VCDPA.
- ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
- ”UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
- “UK Standard Contractual Clauses” or “UK SCC” means the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as adopted, amended or updated by the UK Information Commissioner Office (“ICO”), Parliament or Secretary of State.
- “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws. A reference to any term or section of the Data Protection Laws means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law.
- ROLES AND DETAILS OF PROCESSING
- The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, and according to the applicable Data Protection Laws, Wizer is acting as a Data Processor and Customer is acting as a Data Controller or Business.
- Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law.
- The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
- Additional US Data Protection Laws specifications are further detailed in Annex VII.
- REPRESENTATIONS AND WARRANTIES
- Wizer represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely for the purpose of providing the Service, all in accordance with Customer’s written instructions under the Agreement and this DPA. Notwithstanding the above, in the event Wizer is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, Wizer shall make its best efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.
- Wizer shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments.
- Where applicable, Wizer shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Customer Data it is processing is inaccurate or has become outdated.
- Wizer shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; and (ii) that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Notwithstanding the above, in any event that the Israeli Law applies, the parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.
- DATA SUBJECTS RIGHTS AND REQUEST
- It is agreed that where Wizer receives a request from a Data Subject or an applicable authority in respect of Customer Data, where applicable, Wizer will notify the Customer of such request promptly and direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws.
- Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of and responding to Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
- SUB-PROCESSING
- The Customer acknowledges that Wizer may transfer Customer Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Customer hereby authorizes Wizer to engage and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Wizer may continue to use those Sub-Processors already engaged by Wizer, as listed in Annex III, or to engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a thirty (30) days prior notice of its intention to do so to the Customer. In case the Customer has not objected to the adding or replacing of a Sub-Processor within such notice period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, within such notice period, Wizer may, under Wizer’ sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.
- Wizer shall, where it engages any Sub-Processor, impose, through a legally binding contract between Wizer and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. Wizer shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws.
- Wizer shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA. Wizer shall notify the Customer of any failure by the Sub-Processor to fulfill its contractual obligations.
- TECHNICAL AND ORGANIZATIONAL MEASURES
- Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Wizer hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful Processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
- The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
- The security measures implemented and maintained by Wizer are further detailed in Annex II.
- SECURITY INCIDENT
- Wizer will notify the Customer without undue delay upon becoming aware of any Security Incident involving the Customer Data. Wizer’ notification regarding or response to a Security Incident under this Section 7 shall not be construed as an acknowledgment by Wizer of any fault or liability with respect to the Security Incident.
- Wizer will: (i) take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a Supervisory Authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Customer and assist Customer with its obligation to notify the affected individuals in the case of a Security Incident.
- AUDIT RIGHTS
- Wizer shall maintain accurate written records of any and all the Processing activities of any Customer Data carried out under this DPA and shall make such records available to the Customer and applicable Supervisory Authorities upon written request. Such records provided shall be considered Wizer’ Confidential Information and shall be subject to confidentiality obligations.
- Customer may audit Wizer compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third-party auditor or a comparable certification or other security certification of an audit conducted by a third-party auditor, within twelve (12) months as of the date of Customer’s request.
- Alternatively, in the event the records and documentation provided subject to Section 8 subsections 1 and 2 above are not sufficient for the purpose of demonstrating compliance, Wizer shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Wizer may object to an auditor appointed by the Customer in the event Wizer reasonably believes the auditor is not suitably qualified or is a competitor of Wizer. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Wizer’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.
- Nothing in this DPA will require Wizer to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Wizer’ customer; (ii) Wizer’ internal accounting or financial information; (iii) any trade secret of a Wizer or its Affiliates; (iv) any information that, in Wizer’ reasonable opinion, could compromise the security of any Wizer’ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.
- CROSS BORDER PERSONAL DATA TRANSFERS
- Where the GDPR, UK GDPR or the Swiss FADP is applicable:
- Wizer will not transfer Customer Data originating from the EU, UK or Switzerland (which for the purpose of this Section 9 shall be referred as “Customer Data”), to any country or recipient not recognized as providing an adequate level of protection for such Personal Data (within the meaning of the applicable Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the SCCs or the UK SCCs.
- When Customer and Wizer, or Wizer and or its Sub-Processor rely on the SCC or the UK SCC to facilitate a transfer to a third country the following shall apply:
- Where the GDPR, UK GDPR or the Swiss FADP is applicable:
- transfer of Customer Data from the EEA the terms set forth in Annex IV shall apply.
- transfer of Customer Data from the UK, the terms set forth in Annex V shall apply; and
- transfer of Customer Data from Switzerland, the terms set forth in Annex VI shall apply.
- TERM, TERMINATION AND CONFLICT
- This DPA shall be effective as of the Effective Date (as defined in the agreement) and shall remain in force until the Agreement terminates or as long as Wizer Processes Customer Data.
- Wizer shall be entitled to terminate this DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s instructions or this DPA infringe applicable legal requirements, provided Customer did not cure such infringement within ten (10) days from receiving applicable notice from Wizer. Alternately, Wizer may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without terminating the DPA.
- Following the termination of this DPA, Wizer shall, at the choice of the Customer, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that Wizer continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Customer’s choice shall be provided in writing to Wizer, following effect of termination.
- In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
ANNEX I
DETAILS OF PROCESSING
This Annex includes certain details of the Processing of Personal Data as required under the Data Protection Laws.
Categories of Data Subjects:
Individuals responding to a survey as part of a market research (“Respondent”).
Categories of Personal Data processed:
Respondent data, including contact information (if applicable), survey information and the prize, award received for filling in the survey.
Special Categories of Personal Data:
None.
Nature of the processing:
Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.
Purpose(s) of Processing:
To provide the Service.
Retention Period:
For as long as is necessary to provide the Service by Wizer; provided there is no legal obligation to retain the Personal Data post termination or unless otherwise requested by the Customer.
Process Frequency:
Continuous basis for the duration of the Service.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
Physical Access Control
The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Company’s office (alarm system, code locks, etc.) and the physical security measures taken by Company’s hosting providers. The Company secures the physical access to its offices and maintains records of any physical access to the protected Personal Data in order to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitor, etc.) can access the Company’s offices.
The Personal Data processed by the Company is stored on AWS Cloud (please see the security measures here). When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
Security Risk Analysis and Management
The Company conducts an accurate and thorough assessment of the potential risks and vulnerabilities of the Personal Data to ensure the confidentiality, integrity, and availability of electronic Personal Data processing. The Company applies an annual penetration testing (as further detailed below) and periodic scout reports (e.g., NCC scout and alike) are executed periodically to identify potential security risks, whereas major or critical issues are handled immediately. The Company abides by the Company’s Disaster Recovery plan in order to ensure that the Company can cope with a consummation of any disaster and emergencies. The Company’s servers include an automated back-up procedure. The Company’s office is equipped with fire detectors, fire extinguishers and other applicable measures for the case of consummation of a nature disaster.
Penetration Testing
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, Wizer conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, in order to detect potential security breaches.
System Control
Access to the Company’s systems is highly restricted in order to ensure that solely the appropriate prior approved personnel can access or use the Company’s systems. Safeguards related to remote access and wireless computing capabilities are in implemented therein. Employees are required to comply with the Company’s password policy when composing a password in order to allow strict access or use related to Personal Data all in accordance with position, and solely to the extent such access or use is required. There is constant monitoring of the access to the data and the passwords used to gain login access. In addition, the Company implement automatic captcha, lock-out mechanism in order to prevent any unauthorised login to the Company’s servers by the means of password guessing. Electronic procedures are set in order to terminate an inactive session are also in use by the Company. Only very few employees have access to the database which is protected by multiple passwords.
Data Access Control
There are restrictions in place to ensure that the access to the Personal Data is restricted to employees and service providers which have a permission to access it and solely on an “need to know” basis. Any permission is granted by the Company’s data protection officer. The Company uses high level security measures to ensure that Personal Data information shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data information, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. The user password is fully encrypted. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, the Company has ongoing review of which employees’ have authorizations, to access and whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
In addition, weekly security reports are reviewed by the Company’s security officer, the servers are monitored 24/7 and AWS audit trail (CloudTrail) tracks any changes to resources and entities.
Organizational and Operational Security
The Company invests a multitude of efforts and resources in order to ensure compliance with the Company’s security practices, as well as continuously provides employees on-going training and periodic updates regarding Company’s security procedures. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, the Company implemented applicable safeguards for its hardware and software, including web content filtering, firewalls and anti-virus software (“Protection Measures”) on applicable Company hardware, software or employee’s computer, in order to protect against virus, worms, Trojan identifications or any other malicious software. The Protection Measures cannot be deactivated by any user other than the Company’s cyber security officer and according to the Company’s policies.
In addition, weekly security reports are reviewed by the Company’s security officer, the servers are monitored 24/7 and AWS audit trail (CloudTrail) tracks any changes to resources and entities.
Transfer Control
The Company conducted a transfer impact assessment (“TIA”) identifying all transfers of Personal Data and is able to share the TIA upon Customer’s request. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. All data is encrypted, both at rest and in transit. All and any transfer of Personal Data (either between the servers, from Customer side to server side and between Company’s designated partners) is protected using encryption safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data. The Company’s servers are protected by industry best standards. Furthermore, the destruction of Personal Data following termination of the engagement is included within the contract between the parties. In addition, to the extent applicable, the Company’s business partners execute an applicable Data Processing Agreement and Standard Contractual Clauses, all in accordance with applicable laws. In addition, the traffic and transfer are guarded by a WAF with IPS and IDS (Incapsula) and is encrypted by TLS.
Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the Data Protection Regulations, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).
Availability Control
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster the Company will be able to continue to provide the services.
Data Retention
Personal Data is retained for as long as needed to provide the services or as required under applicable laws.
Software Security
All builds are executed on a remote and secured server in a sterile environment (CI/CD). Deployments are checked with anti-virus and vulnerabilities tests before being shipped for deployment and code is tested on unit, integration and end-to-end level before being shipped via CI.
Job Control
All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable data protection provisions binding them to comply with the Company’s policies, in particular the computer security policy. In addition, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company includes repercussions to ensure compliance with the policies all according to the Company’s Employee’s Manual. In addition, prior to the Company’s engagement with third party contractors, the Company reviews such third party’s security policies, specifically their information data security policies to ensure it complies with the Company’s standard for data security protection. Third party contractors may solely access the Personal Data as explicitly instructed by the Company.
Data Subject Request
The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), further, the Company has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations.
Additional SafeguardS
Measures and assurances regarding U.S. government surveillance have been implemented by Wizer, and Wizer agrees and hereby represents it maintains the following additional safeguards:
- Wizer maintains industry standard measures to protect the Customer Data from interception (including in transit from Customer to Wizer and between different systems and services). This includes maintaining encryption in transit and at rest.
- As of the “Last Updated” date stated above, Wizer has not received any national security orders.
- No court has found Wizer to be: (i) the type of entity eligible to receive process issued under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”); (ii) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition.
- In the event that FISA applies to Wizer, Wizer will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Customer Data, including (if applicable) under Section 702 of the FISA.
- If Wizer becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or receive a copy of the Customer Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Wizer shall: (i) inform the relevant Authority that Wizer is a Processor of the Customer Data and that Customer, as the Controller, has not authorized Wizer to disclose the Customer Data to the Authority; (ii) inform the relevant Authority that any and all requests or demands for access to Customer Data should be directed to or served upon Customer in writing; and (iii) use reasonable legal mechanisms to challenge any such demand for access to Customer Data.
- Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Customer Data, Wizer has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Wizer shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
- Wizer will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Customer Data Wizer has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.
ANNEX III
LIST OF SUB-PROCESSORS
Name | Processing region | Description of the processing |
Amazon Web Services Inc. (“AWS”) | Headquarters: 410 Terry Avenue North, Seattle, WA 98109-5210, ATTNVirginia: 21155 Smith Switch Road, Ashburn, VA, United States of America.Germany: Oskar-von-Miller-Ring 20, 80333 MünchenIreland: One Burlington Plaza, Burlington Road, Dublin 4, Dublin | Hosting and storage services (the Company stores the data in Germany, Ireland or USA, as applicable) |
Rybon, inc | 6500 Chase Oaks Blvd. Suite 100 Plano, TX 75023. Texas, United States of America. | Gift services |
Alchemer, LLC (previously Known Survey Gizmo) | Security and Compliance Manager 168 Centennial Parkway, Unit #250 Louisville, Colorado, 80027 Phone: 800 609 6480 Email: compliance@alchemer.com | Survey hosting platform |
Remesh Inc. | Headquarters 6815 Euclid Ave. Cleveland, OH 44103 United States of America.Remesh NY Office 60 Madison Ave, Suite 1201. New York, NY 10010 United States of America. | Panelist provider |
Lucid holdings LLC | 365 Canal Street Suite 3100 New Orleans, LA 70130 United States of America | Panelist provider |
ANNEX IV
EU INTERNATIONAL TRANSFERS AND SCC
- The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Customer Data from the EEA to other countries that are not deemed as Adequate Countries.
- Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the Controller of the Customer Data and Wizer is the Processor of the Customer Data.
- The parties agree that for the purpose of transfer of Customer Data between Customer (as Data Exporter) and Wizer (as Data Importer), the following shall apply:
- Clause 7 of the Standard Contractual Clauses shall not be applicable.
- In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-Processor changes shall be as set forth in the Sub-Processer Section of the DPA.
- In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).
- In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
- Annex I.A of the Standard Contractual Clauses shall be completed as follows:
- “Data Exporter“: Customer
- “Data Importer“: Wizer
- Roles: (A) With respect to Module Two: (i) Data Exporter is a Controller and (ii) the Data Importer is a Processor.
- Data Exporter and Data Importer Contact details: As detailed in the Agreement.
- Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Annex I.B of the Standard Contractual Clauses shall be completed as follows:
- The purpose of the Processing, nature of the Processing, categories of Data Subjects, categories of Personal Data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
- The frequency of the transfer and the retention period of the Personal Data is as described in Annex I (Details of Processing) of this DPA.
- The Sub-Processors which Personal Data is transferred to are listed in Annex III.
- Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
- Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
- Annex III of this DPA (List of Sub-Processors) serves as Annex III of the Standard Contractual Clauses.
- Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II.
ANNEX V
UK INTERNATIONAL TRANSFERS AND SCC
- The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Customer Data from the UK to other countries that are not deemed as Adequate Countries.
- This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Customer Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from Controller to Processor or from a Processor to its Sub-Processors.
- Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
- This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
- Amendments to the UK Standard Contractual Clauses:
- Part 1: Tables
- Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.
- Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.
- Table 3 Appendix Information:
- Part 1: Tables
Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.
Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.
Annex III: List of Sub Processors: shall be completed as set forth in Annex III above.
- Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.
ANNEX VI
SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:
- The term ’Member State’ will be interpreted in such a way as to allow Data Subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
- The clauses in the DPA protect the Customer Data of legal entities until the entry into force of the upcoming revised FDPA.
- All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
- References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
- In respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
- The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.
ANNEX VII
US DATA PROTECTION LAWS ADDENDUM
This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws. All terms used but not defined in this US Data Protection Laws Addendum shall have the meaning set forth in the DPA.
- CCPA Specifications:
- For the purpose of the CCPA, Customer is the Business and Wizer is the Service Provider.
- Wizer shall Process Customer Data on behalf of the Customer as a Service Provider under the CCPA and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
- if, and to the extent applicable, Wizer shall assist Customer in respect of a Consumer request to limit the use of its Sensitive Personal Information (“SPI”) by Wizer.
- Wizer certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Customer Data.
- US Applicable States Specifications:
- For the purpose of this US Addendum ”Applicable States” shall mean Virginia, California, Colorado, Connecticut and Utah.
- Wizer agrees to notify the Customer if Wizer makes a determination that it can no longer meet its obligations under this US Addendum or US Data Protection Law.
- Wizer shall provide information necessary to enable Customer to conduct and document any data protection assessments required by US Data Protection Laws. Notwithstanding the above, Wizer is responsible for only the measures allocated to it.
- Wizer shall provide assistance and procures that its subcontractors will provide assistance, as Customer may reasonably request, where and to the extent applicable, in connection with any obligation by Customer to respond to Consumer’s requests for exercising their rights under the US Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s respective obligation. Wizer acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for Processing the Customer Data.
- Each party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. Wizer technical measures are detailed in the DPA and Annexes above.
- The Processing instructions, including the nature of Processing, purpose of Processing, the duration of Processing, the type of Personal Data and categories of Data Subjects, are set forth in Annex I above.
- In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and subject to Customer’s consent, Wizer my alternately, in response to Customer’s on-premise audit request, initiate a third-party auditor to verify Wizer’ compliance with its obligations under this US Data Protection Laws. During such audit, Wizer will make available to the third-party auditor all information necessary to demonstrate such compliance.
- Each party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data, as such term is defined under the applicable US Data Protection Law.
- When Processing Customer Data or Usage Data (as defined in the Agreement) for the permitted purposes under US Data Protection Laws, Wizer shall ensure it complies with applicable laws and shall be liable for such Processing activities.