View all our data security docs here.
If you require a customized or signed Data Processing Agreement, please email [email protected] (available to customers on the Accelerate tier only). Otherwise, the standard Data Processing Agreement below applies to all other users with an OpinionX account.
-- -- --
OpinionX Data Processing Agreement
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between the user (the "Company") and OpinionX Limited (the "Data Processor"), together as the "Parties".
WHEREAS
A. The Company acts as a Data Controller.
B. The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
C. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR") as applicable, and any other applicable data protection laws.
D. The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
-- -- --
1. Definitions and Interpretation
1.1 - Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 - "Agreement" means this Data Processing Agreement and all Annexes;
1.1.2 - "Company Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;
1.1.3 - "Contracted Processor" means the Processor or a Subprocessor;
1.1.4 - "Data Protection Laws" means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and any other data protection or privacy laws applicable to a Party's Processing of Company Personal Data under this Agreement;
1.1.5 - "EEA" means the European Economic Area;
1.1.6 - ""GDPR" means EU Regulation 2016/679;
1.1.7 - "Restricted Transfer" means a transfer of Company Personal Data from the Company to the Processor, or an onward transfer from the Processor to a Subprocessor, where such transfer would be prohibited by Data Protection Laws absent a valid transfer mechanism (such as the SCCs or the UK IDTA);
1.1.8 - "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
1.1.9 - "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018;
1.1.10 - "Services" means the OpinionX software-as-a-service platform made available to the Company under the Principal Agreement;
1.1.11 - "Subprocessor" means any person appointed by or on behalf of the Processor to Process Personal Data on behalf of the Company in connection with the Agreement, as listed here.
1.2 - The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 - The subject matter, duration, nature and purpose of the Processing, the type of Personal Data, and the categories of Data Subjects are set out in Annex I.
-- -- --
2. Processing of Company Personal Data
2.1 - Processor shall:
2.1.1 - comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
2.1.2 - not Process Company Personal Data other than on the Company's documented instructions, including those set out in the Principal Agreement and this Agreement, unless required to do so by Union or Member State law to which the Processor is subject; and
2.1.3 - in the case described in clause 2.1.2, inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2.2 - The Company instructs the Processor to Process Company Personal Data for the purposes set out in the Principal Agreement and as further described in Annex I.
2.3 - The Processor shall immediately inform the Company if, in its opinion, an instruction from the Company infringes Data Protection Laws.
-- -- --
3. Processor Personnel
3.1 - The Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
-- -- --
4. Security
4.1 - Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 - The technical and organisational measures implemented by the Processor are set out in Annex II. The Processor may update or modify these measures from time to time, provided that such updates or modifications do not materially decrease the overall level of protection of Company Personal Data.
4.3 - In assessing the appropriate level of security, the Processor shall take particular account of the risks presented by Processing, in particular from a Personal Data Breach.
-- -- --
5. Subprocessing
5.1 - The Company provides general authorisation to the Processor to engage Subprocessors for the Processing of Company Personal Data, subject to the conditions in this Section 5. The current list of Subprocessors is set out here.
5.2 - The Processor shall notify the Company of any intended addition or replacement of a Subprocessor at least thirty (30) days before that Subprocessor begins Processing Company Personal Data. Notification may be given by email to the account contact, by in-product notification, or by updating the published Subprocessor list together with a corresponding notice through one of the foregoing channels.
5.3 - The Company may object to a proposed change in Subprocessors on reasonable data protection grounds by notifying the Processor in writing within fifteen (15) days of receipt of the notice. The Parties shall discuss the objection in good faith with a view to resolving it. If the Parties cannot reach a resolution, the Company may, as its sole and exclusive remedy, terminate the Principal Agreement (or the affected portion of the Services) without penalty by providing written notice to the Processor.
5.4 - Where the Processor engages a Subprocessor, the Processor shall enter into a written agreement with the Subprocessor imposing data protection obligations that, in substance, offer at least the same level of protection for Company Personal Data as those set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures as required by Article 28(4) of the GDPR.
5.5 - The Processor shall remain fully liable to the Company for the performance of any Subprocessor's data protection obligations.
-- -- --
6. Data Subject Rights
6.1 - Taking into account the nature of the Processing, the Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company's obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Laws.
6.2 - The Processor shall:
6.2.1 - promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2 - ensure that it does not respond to that request except on the documented instructions of the Company or as required by applicable laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by such laws, inform the Company of that legal requirement before responding.
-- -- --
7. Personal Data Breach
7.1 - The Processor shall notify the Company without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Company Personal Data.
7.2 - Each notification under clause 7.1 shall, to the extent the relevant information is then known to the Processor, include:
7.2.1 - a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
7.2.2 - the name and contact details of the Processor's data protection or security contact from whom further information can be obtained;
7.2.3 - a description of the likely consequences of the Personal Data Breach; and
7.2.4 - a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.3 - Where, and insofar as, it is not possible to provide all of the information at the same time, the information may be provided in phases without further undue delay.
7.4 - The Processor shall co-operate with the Company and take such reasonable commercial steps as are directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
-- -- --
8. Data Protection Impact Assessment and Prior Consultation
8.1 - The Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities which the Company reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data and taking into account the nature of the Processing and information available to the Processor.
-- -- --
9. Deletion or Return of Company Personal Data
9.1 - Subject to clauses 9.2 and 9.3, the Processor shall, at the choice of the Company, either delete or return all Company Personal Data to the Company after the end of the provision of Services relating to Processing, and delete existing copies. The Company may exercise its choice by written notice to the Processor at any time up to thirty (30) days after the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date").
9.2 - If the Company does not exercise its choice under clause 9.1 within the period specified, the Processor shall delete all Company Personal Data and procure the deletion of all copies within thirty (30) days of the Cessation Date, subject to the backup retention period set out in Annex II.
9.3 - The Processor may retain Company Personal Data to the extent (and for the period) required by Union or Member State law, provided that the Processor shall (a) maintain the confidentiality of such Company Personal Data, (b) Process such Company Personal Data only as necessary for the purpose specified in the applicable law requiring its retention, and (c) delete it once such retention is no longer required.
9.4 - The Processor shall provide written certification to the Company that it has fully complied with this Section 9 within a reasonable period following completion of deletion or return.
-- -- --
10. Audit Rights
10.1 - The Processor shall make available to the Company, on reasonable written request, information necessary to demonstrate compliance with this Agreement and the obligations laid down in Article 28 of the GDPR.
10.2 - The Processor's primary means of demonstrating compliance shall be by providing the Company with: (a) the Processor's then-current security and compliance documentation, including OpinionX's Data Collection and Management documentation, and any third-party audit reports, certifications, or attestations the Processor holds (where applicable); (b) responses to reasonable security questionnaires; and (c) copies of access logs upon reasonable request, in accordance with the Processor's published security commitments.
10.3 - To the extent the documentation referred to in clause 10.2 is not sufficient to demonstrate compliance, the Company may request an audit (including inspection) by the Company or an independent third-party auditor mandated by the Company, subject to the following:
10.3.1 - the audit shall be conducted no more than once in any twelve (12) month period, save where required by a Supervisory Authority or following a confirmed Personal Data Breach affecting the Company Personal Data;
10.3.2 - the Company shall provide at least thirty (30) days' prior written notice;
10.3.3 - audits and inspections shall be conducted remotely by default (for example, by document review, security questionnaire, and where appropriate by video conference); on-site or other in-person elements shall apply only where mutually agreed in writing, taking into account that the Processor operates as a fully remote organisation;
10.3.4 - the audit shall be conducted during normal business hours and in a manner that does not unreasonably interfere with the Processor's business operations;
10.3.5 - the auditor shall not be a competitor of the Processor, and shall be subject to confidentiality obligations no less protective than those in this Agreement;
10.3.6 - the scope of the audit shall be agreed in advance and limited to information relevant to the Processing of Company Personal Data, and shall not extend to (a) information of other customers of the Processor, (b) the internal infrastructure of the Processor's hosting Subprocessors (which is independently audited and certified by those Subprocessors), or (c) information the disclosure of which would breach the Processor's legal obligations or third-party confidentiality duties;
10.3.7 - the Company shall bear its own costs and the Processor's reasonable costs of facilitating the audit, except where the audit reveals material non-compliance by the Processor, in which case the Processor shall bear its own costs; and
10.3.8 - in lieu of an audit under this clause 10.3, the Processor may, at its option, satisfy the Company's request by providing a then-current third-party audit report, certification, or attestation that addresses the relevant matters, provided that such report is made available to the Company subject to appropriate confidentiality undertakings.
10.4 - The Processor shall, without undue delay, address any material findings of non-compliance identified through an audit conducted under this Section 10.
-- -- --
11. Data Transfers
11.1 - The Processor's primary data storage location is the Republic of Ireland. The Processor shall not transfer, or authorise the transfer of, Company Personal Data to any country outside the EEA, the United Kingdom, or Switzerland (a "Third Country") without ensuring that an appropriate transfer mechanism under Data Protection Laws is in place.
11.2 - Where Company Personal Data is transferred to a recipient in the United States, the Processor relies on the EU–US Data Privacy Framework (and, where applicable, the UK Extension and the Swiss–US Data Privacy Framework) as the primary transfer mechanism, provided the recipient is self-certified under, and remains an active participant in, the relevant Framework. The Processor verifies the certification status of US-based Subprocessors against the official registry maintained by the US Department of Commerce.
11.3 - To the extent that the Processing of Company Personal Data involves a Restricted Transfer for which the EU–US Data Privacy Framework does not provide a valid basis (whether because the recipient is not certified in the EU–US Data Privacy Framework, the transfer is not to the United States, or otherwise), the Parties hereby enter into the SCCs, which are incorporated into this Agreement by reference, on the following basis:
11.3.1 - Module Two (Controller to Processor) shall apply where the Company is a Controller and the Processor is processing Company Personal Data on the Company's behalf;
11.3.2 - Module Three (Processor to Processor) shall apply where the Company is itself a processor acting on behalf of a third-party controller;
11.3.3 - in Clause 7 (the docking clause), the optional language shall apply;
11.3.4 - in Clause 9 (use of subprocessors), Option 2 (general written authorisation) shall apply, with the time period for prior notice specified in Section 5.2 of this Agreement;
11.3.5 - in Clause 11 (redress), the optional independent dispute resolution language shall not apply;
11.3.6 - in Clause 17 (governing law), the SCCs shall be governed by the laws of the Republic of Ireland;
11.3.7 - in Clause 18 (choice of forum and jurisdiction), disputes shall be resolved before the courts of the Republic of Ireland;
11.3.8 - the information required for Annex I, Annex II, and Annex III of the SCCs is set out in Annex I, Annex II, and Annex III to this Agreement, which serve as the SCC annexes for those purposes.
11.4 - To the extent that the Processing of Company Personal Data involves a Restricted Transfer subject to UK GDPR for which the UK Extension to the Data Privacy Framework does not provide a valid basis, the UK IDTA is incorporated into this Agreement by reference, in the form issued by the UK Information Commissioner's Office, and the information required for the tables of the UK IDTA shall be drawn from the corresponding provisions of this Agreement and its Annexes.
11.5 - To the extent that the Processing of Company Personal Data involves a Restricted Transfer subject to the Swiss FADP for which the Swiss–US Data Privacy Framework does not provide a valid basis, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including (a) references to the GDPR being read as references to the FADP where applicable, (b) the term "Member State" not being interpreted to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence, and (c) the competent supervisory authority being the Swiss Federal Data Protection and Information Commissioner in respect of transfers exclusively subject to the FADP.
11.6 - Where required by Data Protection Laws, the Processor applies supplementary measures to protect Company Personal Data during international transfers, including encryption in transit and at rest as set out in Annex II.
11.7 - In the event of any conflict between this Agreement and the SCCs or the UK IDTA, the SCCs or UK IDTA (as applicable) shall prevail in respect of Restricted Transfers.
-- -- --
12. General Terms
12.1 - Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party, except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 - Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement, or such other address as notified from time to time by the Parties changing address.
12.3 - Order of precedence. In the event of a conflict between the body of this Agreement and any Annex, the body of this Agreement shall prevail, except in respect of Restricted Transfers as set out in clause 11.7.
-- -- --
13. Governing Law and Jurisdiction
13.1 - This Agreement is governed by the laws of the Republic of Ireland.
13.2 - Any dispute arising in connection with this Agreement which the Parties are unable to resolve amicably will be submitted to the exclusive jurisdiction of the courts of the Republic of Ireland.
-- -- --
Custom Data Protection Agreement
Custom DPAs are available to customers on the Accelerate tier only. To enquire for a custom DPA, please contact [email protected].
-- -- --
ANNEX I — Description of Processing
This Annex also serves as Annex I to the SCCs incorporated under Section 11.
A. List of Parties
Data Exporter (Controller): The Company, as identified in the Principal Agreement (the user of the OpinionX Services).
Activities relevant to the data transferred: Operating its own business and using the Services to design, distribute, and analyse surveys and related research instruments, and to manage the responses collected.
Role: Controller (or, where applicable, processor acting on behalf of a third-party controller).
Data Importer (Processor): OpinionX Limited
Address: Cois Abhann, Ballycahan, Kilcock, Co. Kildare, W23 KN2W, Republic of Ireland.
Company registration number: 672475.
Data Protection Officer: Daniel Kyne, [email protected].
Activities relevant to the data transferred: Providing the OpinionX SaaS platform, which enables the Data Exporter to design, distribute, and analyse surveys and related research instruments, including ranking, segmentation, and choice-based methods, and to manage the responses collected.
Role: Processor.
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Processed:
Authorised users of the Data Exporter's OpinionX account. Employees, contractors, and other individuals authorised by the Data Exporter to access the Services on its behalf.
Survey Participants. Individuals invited by the Data Exporter to participate in surveys or research activities created using the Services. Depending on the Data Exporter's use case, these may include the Data Exporter's customers, prospects, employees, members, students, research panellists, or other individuals.
Categories of Personal Data Processed:
The categories below are consistent with the OpinionX Privacy Policy.
Account user data: name, username, email address, password (stored in hashed form), role within the Data Exporter's account, and login activity.
Survey Participant data: survey responses (including any free-text answers); contact information uploaded by the Data Exporter to invite Survey Participants (e.g., name and email address); and any additional data the Data Exporter chooses to associate with a Survey Participant using features such as Hidden Fields or the Enrichment tab, the content of which is determined by the Data Exporter.
Technical data: IP address, browser type and version, device type, operating system, referrer page, date and time stamps, and session-related identifiers used to provide and secure the Services. As stated in the Privacy Policy, technical data collected from Survey Participants is not linked to their Survey Data.
Cookies (Survey Participants): the Services set one short-lived product cookie on the survey-taking interface, with a lifetime of up to 24 hours, used to prevent a Survey Participant from accidentally losing their place in a survey. No advertising or third-party tracking cookies are set on the survey-taking interface by the Processor. Cookie usage on the OpinionX marketing website is described in the Privacy Policy.
Sensitive Data: The Services are not designed to Process special categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR). The Data Exporter is responsible for ensuring it does not submit such data into the Services unless specifically agreed in writing with the Data Importer and accompanied by appropriate additional safeguards. Where the Processor becomes aware of such data being stored without appropriate safeguards, it may, in accordance with the Privacy Policy, contact the Data Exporter to request correction and, if necessary, remove such data.
Frequency of Transfer: Continuous, for the duration of the Principal Agreement.
Nature of the Processing: Hosting; storage; collection of survey responses; analysis (including statistical aggregation, ranking, segmentation, and AI-assisted analysis where enabled by the Data Exporter); display of results to authorised users of the Data Exporter; export and deletion of data on the Data Exporter's instructions; backup; security monitoring; and provision of customer support.
Purpose of the Processing: To enable the Data Exporter to use the OpinionX Services to gather and analyse opinions, preferences, and priorities from its own Data Subjects, in accordance with the Principal Agreement.
Period for which Personal Data will be Retained: Account user data and Survey Data are retained for the duration of the Data Exporter's OpinionX account. The Data Exporter may delete Survey Data at any time using in-product controls, and may delete its OpinionX account from account settings. On account deletion, Personal Data is removed from production systems in accordance with Section 9 of this Agreement; backup copies are deleted in line with the backup retention period set out in Annex II. Personal Data may be retained beyond these periods only to the extent required by applicable law (for example, to meet civil, commercial, or tax record-keeping obligations), as set out in the Privacy Policy and in clause 9.3.
Onward Transfers: To Subprocessors listed here, on the basis of the safeguards set out in Section 5 and Section 11 of this Agreement.
C. Competent Supervisory Authority
The Data Protection Commission (Ireland), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, shall act as the competent Supervisory Authority for the SCCs incorporated under Section 11.
For Restricted Transfers subject to the UK GDPR: the UK Information Commissioner's Office.
For Restricted Transfers subject to the Swiss FADP: the Swiss Federal Data Protection and Information Commissioner.
-- -- --
ANNEX II — Technical and Organisational Measures
This Annex also serves as Annex II to the SCCs incorporated under Section 11. The measures below describe the Processor's baseline controls and align with OpinionX's Data Collection and Management documentation. The Processor may update or modify these measures from time to time, provided that the overall level of protection of Company Personal Data is not materially decreased.
1. Pseudonymisation and Encryption of Personal Data
Encryption at rest: Company Personal Data stored in production databases is encrypted using AES-256 encryption.
Encryption in transit: all network traffic between Data Subjects, the Data Exporter's authorised users, the Services, and the Processor's hosting and database providers is encrypted using Transport Layer Security (TLS).
Backups: backups of Company Personal Data are encrypted.
Pseudonymisation: as stated in the Privacy Policy, pseudonymisation may be applied as a supplementary measure where appropriate, in particular in the context of international data transfers.
2. Confidentiality, Integrity, Availability, and Resilience of Processing Systems
Hosting environment: the Services are hosted on Microsoft Azure, with Company Personal Data stored in the Republic of Ireland. The database tier uses MongoDB Atlas.
Network isolation: each database is deployed in an isolated virtual private cloud and is accessible only from granted IP addresses; databases are not directly accessible from the public internet.
Multi-tenant architecture with logical separation: Company environments are logically separated at the application and database layers within a multi-tenant architecture.
Access control: access to production systems and to Company Personal Data is restricted to Processor personnel with a legitimate business need, on a least-privilege basis.
Multi-factor authentication for personnel: multi-factor authentication is required for Processor personnel and for the third-party platforms used by Processor personnel that may provide access to Company Personal Data.
Confidentiality obligations: all Processor personnel with access to Company Personal Data are subject to written confidentiality obligations.
Logging: the Processor maintains access logs for production systems and can make access logs available to the Company on reasonable request.
3. Ability to Restore Availability and Access in the Event of an Incident
Backups: the Processor takes regular, encrypted backups of Company Personal Data.
Recovery objectives: the Processor's target Recovery Time Objective (RTO) is less than four (4) hours and its target Recovery Point Objective (RPO) is less than one (1) day.
Business continuity: the Processor maintains a documented business continuity plan.
4. Regular Testing, Assessing, and Evaluating the Effectiveness of Measures
Penetration testing: the Processor commissions independent third-party penetration testing of the Services on a periodic basis. Summary findings may be made available to the Company on reasonable request, subject to appropriate confidentiality undertakings.
Vulnerability management: the Processor relies on the security controls and patching cadence of its underlying hosting and database providers (Microsoft Azure and MongoDB Atlas), and applies security updates to its application stack on an ongoing basis.
Access reviews: access rights to production systems are reviewed periodically, with revocation upon role change or departure.
Subprocessor reviews: Subprocessor security posture is reviewed prior to engagement and on a periodic basis thereafter (see Section 12 below).
Incident response: the Processor maintains formally defined criteria for notifying customers in the event of an incident that may affect the security of their data or the Services, as set out in Section 7 of this Agreement.
5. Identification and Authentication of Users
Authorised users of the Data Exporter: authentication uses unique account credentials with minimum password requirements.
Single sign-on (SSO): SAML SSO is available for team workspaces. Where SSO is enabled, authentication and (where configured upstream) multi-factor authentication are managed by the Data Exporter's identity provider.
User management: account administrators of the Data Exporter may add or deactivate authorised users at any time.
6. Protection of Data During Transmission and Storage
All data in transit between the Data Subject's browser, the Data Exporter's authorised users, the Services, and the Processor's Subprocessors is protected using TLS.
All data at rest in production databases and backups is encrypted with AES-256.
7. Physical Security of Locations at which Personal Data are Processed
Physical security of production environments is provided by Microsoft Azure (Republic of Ireland region) and by MongoDB Atlas, which maintain industry-standard physical security controls and certifications (including, for Microsoft Azure, ISO/IEC 27001, SOC 1/2/3, and other certifications published by the provider).
The Processor operates as a fully remote organisation and does not maintain a physical office. The Processor's registered office address is used for legal and correspondence purposes only and is not used for the storage of, or routine access to, Company Personal Data. Personnel work from remote locations using the endpoint and access controls described in Section 8 below.
8. Events Logging and Configuration of Systems
Logging is enabled for production systems, including authentication and administrative actions.
Configuration of production systems is managed through controlled change processes.
Endpoints used by Processor personnel with access to Company Personal Data are configured with security controls appropriate to their use.
9. Internal IT and IT Security Governance and Management
The Processor maintains internal information security practices covering acceptable use, access control, incident response, and data handling.
All Processor personnel with access to Company Personal Data are made aware of the Processor's privacy and security obligations on engagement and on an ongoing basis.
The Processor follows a documented incident response process, summarised in Section 7 of this Agreement.
10. Certifications, Assurance, and Accountability
The Processor's hosting Subprocessors (Microsoft Azure and MongoDB Atlas) maintain industry-standard security certifications, including ISO/IEC 27001 and SOC 2.
The Processor itself does not currently hold ISO/IEC 27001 certification or a SOC 2 Type II report (as of April 2026).
The Processor maintains records of Processing activities as required by Article 30 of the GDPR.
The Processor has appointed a Data Protection Officer (Daniel Kyne, [email protected]).
11. Data Minimisation, Quality, and Retention
The Services collect only the categories of Personal Data described in Annex I.
The Data Exporter controls retention through in-product Survey Data management controls, account-level deletion, and the deletion and return mechanisms set out in Section 9.
Backups containing Company Personal Data are retained for a maximum of twelve (12) months and are deleted on rotation.
12. Subprocessor and Vendor Management
Subprocessors are subject to written agreements imposing data protection obligations consistent with this Agreement, as required by Section 5.
Subprocessor security posture is reviewed prior to engagement and on a periodic basis thereafter.
For US-based Subprocessors, the Processor verifies active certification under the EU–US Data Privacy Framework (and the UK Extension and Swiss–US Framework where applicable) against the official registry maintained by the US Department of Commerce.
13. Specific Measures for Transfers to Third Countries
The measures in this Annex II apply to all Processing of Company Personal Data, including in the context of Restricted Transfers. In addition, the Processor relies on the EU–US Data Privacy Framework, the SCCs, and (where applicable) the UK IDTA as set out in Section 11, and conducts transfer impact assessments where required by Data Protection Laws.
-- -- --
ANNEX III — List of Subprocessors
This Annex also serves as Annex III to the SCCs incorporated under Section 11.
The Processor engages the following Subprocessors for the Processing of Company Personal Data. The up-to-date list is published here and shall be treated as the authoritative version for the purposes of this Agreement.
OpinionX Limited
Location: the Republic of Ireland
Contact person’s name, position and contact details: Daniel Kyne, CEO, [email protected]
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To develop and maintain the Services, including OpinionX’s web platform, create analytical reports, and to provide various business and operational services, including sales, marketing, business enhancement, bookkeeping as well as customer and other support services.
Microsoft
Microsoft Azure
Location: the Republic of Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To manage our application database.
Microsoft Clarity
Location: the Republic of Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To provide behavioral analytics and insights into product usage.
MongoDB
Location: the Republic of Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To provide managed database services for data storage, retrieval, and processing.
Google Analytics
Location: the Republic of Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To provide analytical reports of the OpinionX website and the Services.
Customer.io (Peaberry Software Inc)
Location: United States
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To facilitate email communications with service users.
Substack
Location: United States
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To facilitate email marketing.
Stripe
Location: the Republic of Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To create and manage invoices and (recurring) payments.
Intercom
Location: the Republic of Ireland
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To provide support services to users.
Sentry (Functional Software, Inc)
Location: United States
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): To monitor and track users for the identification and the solving of errors in our application.