Preamble
This Data Processing Agreement is entered into between:
- FeedValue ("Processor," "we," "us"), a limited liability company registered in Virginia, United States, providing the FeedValue feedback collection platform
- The Customer ("Controller," "you"), identified by the account registration information, who uses the FeedValue Service to collect feedback from End Users
1. Definitions
In this DPA, the following terms have the meanings set forth below:
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable national data protection laws.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, and deletion.
- "Controller" means the entity that determines the purposes and means of Processing Personal Data.
- "Processor" means the entity that Processes Personal Data on behalf of the Controller.
- "Sub-Processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
- "End User" means any individual who submits feedback through a Widget deployed by the Controller.
- "Service" means the FeedValue feedback collection platform and related services provided under the Terms of Service.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
2. Scope and Application
2.1 Application
This DPA applies to the Processing of Personal Data by FeedValue on behalf of the Controller in connection with the Service. This DPA is incorporated into and forms part of the Terms of Service.
2.2 Roles
For the purposes of this DPA:
- The Controller is the data controller with respect to End User Personal Data collected through Widgets
- FeedValue is the data processor Processing End User Personal Data on behalf of the Controller
2.3 Exclusions
This DPA does not apply to Personal Data that FeedValue Processes as a controller in its own right, such as Controller account information and billing data, which is governed by our Privacy Policy.
3. Details of Processing
3.1 Subject Matter and Duration
The subject matter of Processing is the provision of the FeedValue feedback collection Service. Processing will continue for the duration of the Controller's subscription to the Service, plus any retention period required for data deletion.
3.2 Nature and Purpose
FeedValue Processes Personal Data to:
- Receive and store feedback submitted by End Users
- Display feedback to the Controller through the dashboard
- Generate analytics and reports for the Controller
- Deliver feedback via webhooks as configured by the Controller
- Send notification emails to the Controller about new feedback
3.3 Categories of Data Subjects
- End Users who submit feedback through Controller's Widgets
3.4 Categories of Personal Data
The following types of Personal Data may be Processed:
| Data Category | Description |
|---|---|
| Feedback Content | Text, ratings, selections submitted through Widgets |
| Contact Information | Email address (if provided voluntarily by End User) |
| Technical Data | Browser type, device information, page URL, timestamp |
| Usage Context | URL where feedback was submitted |
Note: The Controller is responsible for ensuring that no sensitive or special category data (as defined in GDPR Article 9) is collected through the Service without appropriate safeguards and consent.
4. Processor Obligations
FeedValue agrees to:
4.1 Processing Instructions
- Process Personal Data only on documented instructions from the Controller, including transfers to third countries
- Immediately inform the Controller if any instruction infringes Data Protection Laws
- Not Process Personal Data for any purpose other than providing the Service
4.2 Confidentiality
- Ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to personnel who need access to perform the Service
4.3 Security
- Implement and maintain appropriate technical and organizational security measures as described in Section 7
- Regularly test, assess, and evaluate the effectiveness of security measures
4.4 Sub-Processing
- Not engage Sub-Processors without prior authorization from the Controller as described in Section 6
- Ensure Sub-Processors are bound by equivalent data protection obligations
4.5 Assistance
- Assist the Controller in fulfilling obligations under Data Protection Laws
- Assist with data subject requests, security assessments, breach notifications, and impact assessments
5. Controller Obligations
The Controller agrees to:
- Ensure that it has a lawful basis for collecting Personal Data through the Service
- Provide appropriate privacy notices to End Users before collecting feedback
- Obtain any necessary consents for the Processing of Personal Data
- Ensure that Personal Data provided to FeedValue is accurate and lawfully obtained
- Respond to Data Subject requests concerning Personal Data
- Comply with all applicable Data Protection Laws in its use of the Service
- Not collect sensitive or special category data through the Service without appropriate safeguards
6. Sub-Processors
6.1 Authorization
The Controller provides general authorization for FeedValue to engage Sub-Processors to assist in providing the Service, subject to the requirements in this section.
6.2 Current Sub-Processors
The following Sub-Processors are authorized as of the effective date:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Cloudflare, Inc. | CDN, DDoS protection | Global (Edge) |
| Cloud Infrastructure Provider | Database hosting, compute | United States |
| Email Service Provider | Transactional emails | United States |
6.3 Changes to Sub-Processors
FeedValue will notify the Controller of any intended addition or replacement of Sub-Processors at least 30 days before the change. The Controller may object to the change by notifying FeedValue within 14 days of receipt of the notification.
If the Controller objects and FeedValue cannot reasonably accommodate the objection, the Controller may terminate the Service with respect to the affected Processing.
7. Security Measures
FeedValue implements the following technical and organizational security measures:
7.1 Technical Measures
- Encryption in Transit: TLS 1.3 for all data transmission
- Encryption at Rest: AES-256 encryption for stored data
- Access Controls: Role-based access with least-privilege principles
- Authentication: Secure password hashing (bcrypt) and session management
- Network Security: Firewalls, intrusion detection, and network segmentation
- Logging: Comprehensive audit logging and monitoring
7.2 Organizational Measures
- Personnel: Background checks and confidentiality agreements for employees
- Training: Regular data protection and security training
- Incident Response: Documented incident response procedures
- Vendor Management: Security assessment of Sub-Processors
- Business Continuity: Regular backups and disaster recovery procedures
7.3 Security Updates
FeedValue may update security measures from time to time, provided that updates do not materially decrease the overall level of security protection.
8. Data Subject Rights
8.1 Controller Responsibility
The Controller is responsible for responding to Data Subject requests regarding Personal Data Processed through the Service.
8.2 Processor Assistance
FeedValue will assist the Controller in responding to Data Subject requests by:
- Providing tools in the dashboard for the Controller to access, export, and delete End User data
- Forwarding any Data Subject requests received directly by FeedValue to the Controller within 5 business days
- Providing reasonable assistance for requests that cannot be fulfilled through self-service tools
8.3 Request Handling
The Controller must respond to Data Subject requests within the timeframes required by applicable Data Protection Laws. FeedValue will use reasonable efforts to assist within those timeframes.
9. Data Breach Notification
9.1 Notification Timing
FeedValue will notify the Controller of any Personal Data breach without undue delay and in any event within 72 hours of becoming aware of the breach.
9.2 Notification Content
The notification will include, to the extent known:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate harm
- Contact point for further information
9.3 Cooperation
FeedValue will cooperate with the Controller in investigating the breach, mitigating its effects, and fulfilling notification obligations under Data Protection Laws.
10. Audits and Compliance
10.1 Audit Rights
FeedValue will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller.
10.2 Audit Conditions
Audits are subject to:
- Reasonable advance notice (minimum 30 days)
- Reasonable scope and duration
- Confidentiality obligations regarding information disclosed during the audit
- Not more than once per year unless required by law
- The Controller bearing the costs of the audit (unless the audit reveals material non-compliance)
10.3 Alternative Evidence
FeedValue may satisfy audit requirements by providing independent third-party certifications, audit reports, or other evidence of compliance.
11. International Data Transfers
11.1 Transfer Mechanisms
FeedValue is based in the United States. For transfers of Personal Data from the EEA, UK, or Switzerland, FeedValue relies on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): The parties agree that the SCCs are incorporated into this DPA by reference
- UK International Data Transfer Agreement: For UK transfers, the UK IDTA Addendum supplements the SCCs
- Swiss Transborder Data Transfer Agreement: For Swiss transfers, applicable Swiss addenda supplement the SCCs
11.2 Module Selection
For purposes of the SCCs:
- Module Two (Controller to Processor) applies to transfers of End User Personal Data
- Module Three (Processor to Processor) applies when FeedValue transfers Personal Data to Sub-Processors
11.3 Supplementary Measures
FeedValue implements appropriate supplementary measures, including encryption and access controls, to protect Personal Data transferred internationally.
12. Termination and Data Return
12.1 Data Return
Upon termination of the Service:
- The Controller may export Personal Data using the dashboard export functionality within 30 days
- FeedValue will provide reasonable assistance for data export upon request
12.2 Data Deletion
After the 30-day export period:
- FeedValue will delete Personal Data in accordance with its data retention policies
- Upon Controller request, FeedValue will certify in writing that data has been deleted
- FeedValue may retain data as required by applicable law, clearly disclosing such requirements
12.3 Survival
Sections of this DPA that by their nature should survive termination (including confidentiality obligations, liability limitations, and data deletion obligations) will survive termination of the Service.
13. Liability
13.1 Liability Cap
Each party's total liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.
13.2 Exclusions
Nothing in this DPA limits liability for:
- Gross negligence or willful misconduct
- Liability that cannot be limited under applicable law, including GDPR fines
- Breach of confidentiality obligations regarding Personal Data
14. General Provisions
14.1 Conflict
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
14.2 Amendments
FeedValue may update this DPA to reflect changes in Data Protection Laws or our Processing activities. Material changes will be notified to Controllers at least 30 days in advance.
14.3 Severability
If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.
14.4 Governing Law
This DPA shall be governed by the laws specified in the Terms of Service, except that any provisions required by applicable Data Protection Laws shall be governed by those laws.
14.5 Contact
Questions about this DPA should be directed to:
Acceptance
By using the FeedValue Service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. This DPA is effective as of the date you first access or use the Service.
If you require a signed copy of this DPA for your records, please contact [email protected].