Data Processing Agreement

Last updated 11/09/2020

This Data Processing Agreement (the “DPA”) constitutes UserTribe’s and Customer’s obligations regarding the processing of data uploaded by Customer to the UserTribe software and is a part of the Agreement. Capitalized terms used but not defined in this DPA will have the meaning assigned to them in SLA.

 

Definitions & Interpretations

 

“Personal data” and “processing” shall have the meaning as set provided in Article 4 in Regulation 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter “General Data Protection Regulation”).

 

 

Data Controller & Processor

 

a. The customer determines the purposes and means of the personal data processed in connection with this DPA and is therefore the data controller, cf. The Danish Act on Processing of Personal Data section article 3(4) and Article 4 (7) in the General Data Protection Regulation.

b. UserTribe processes data on behalf of the data controller and is, therefore, the data processor, cf. the Danish Act on Processing of Personal Data section article 3(5) and article 4 (8) in General Data Protection Regulation.

 

Background

 

a. Customer wishes to upload, analyse and manage video as well as audio material of its customers, potential customers, employees and other business stakeholders providing feedback to Customer products and services at different stages of the project lifecycle.  

b. UserTribe has developed and is the owner of the software, which enables Customer to create business and customer insights, and, among other things, analyse how customers respond to products and services. One of the key features of the software is to gather insights from across Customer organisation into a single interface, from where the Customer can search, view and share insights within the organisation.

c. When Customer manages its customer insights through the UserTribe software, UserTribe’s software works as a hub for all data collected by Customer and uploaded to the UserTribe software. The data is stored on UserTribe’s servers and is made accessible to Customer via UserTribe’s software.

 

Consideration

 

In consideration of Customer engaging the Services of UserTribe to process personal data on its behalf, UserTribe shall comply with the security, confidentiality and other obligations imposed on it under this DPA.

 

 

Hosting

 

UserTribe stores data on behalf of Customer on servers located in the European Union (EU), cf. section 8.

 

 

Processor Obligations

 

a. UserTribe undertakes that UserTribe processes personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation.

b. If UserTribe is required to transfer personal data to a third country or an international organization; UserTribe shall inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

c. UserTribe shall implement appropriate technical and organisational measures to secure all personal data accessed or processed by UserTribe against accidental or unlawfully loss, destruction or damage, any unauthorized access to and knowledge of the personal data, or any other processing of the personal data in violation of the Danish Act on Processing of Personal Data and from 25 May 2018 the General Data Protection Regulation (GDPR).

d. Upon request by Customer, UserTribe will provide Customer with a statement of assurance regarding the technical and organisational measures.

e. UserTribe ensures that persons authorised to process personal data have committed themselves to confidentiality.

f. UserTribe agrees that it shall maintain the personal data processed by UserTribe on behalf of Customer in confidence. In particular, UserTribe agrees that, without the prior written consent of Customer, it shall not disclose any personal data supplied to UserTribe by, for, or on behalf of, Customer to any third party.

g. UserTribe shall not make any use of any personal data supplied to it by Customer other than in connection with the provision of the Services to Customer.

h. Nothing in this DPA shall prevent either Party from complying with any legal obligation imposed by a regulator or court. Both Parties shall, however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.

 

Additional assistance to the customer

 

a. UserTribe will make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

b. UserTribe shall immediately inform Customer if, in UserTribe’s opinion, an instruction infringes the Danish Act on Processing of Personal Data and the General Data Protection Regulation.

c. UserTribe will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights.

d. UserTribe will assist – taking into account the nature of processing and the information available to UserTribe – the Customer in ensuring compliance with the obligations with regard to:

      1. Security of processing;

      2. Notification of a personal data breach to the supervisory authority;

      3. Communication of a personal data breach to the data subject; and

      4. Data protection impact assessment.

e. UserTribe shall – if article 30 General Data Protection Regulation applies – maintain a record of processing activities under its responsibility and upon request give the Customer a copy hereof.

f. UserTribe’s assistance with regards to this section 7 will be done on time and material on the basis of standard hourly rates.

 

 

Controller obligations

 

a. The customer has, in accordance with the Danish Act on Processing of Personal Data and the General Data Protection Regulation, a general obligation to ensure that the technical and organisational measures are maintained which includes technical and organisational measures of a data processor such as UserTribe. UserTribe has assessed the risks with regards of UserTribe’s processing of data in accordance with this DPA and has implemented appropriate measures, cf. section 6c. The Customer is satisfied that UserTribe has implemented appropriate measures and has the right to request a statement of assurance regarding the technical and organisational measures, cf. section 6d.

b. The Customer warrants that the data which UserTribe processes in accordance with this DPA, can be processed by UserTribe.

c. The Customer shall – if article 30 General Data Protection Regulation applies – maintain a record of processing activities under its responsibility and give UserTribe a copy hereof.

 

 

Sub-processors

 

a. By entering into this DPA, Customer gives its consent to UserTribe using below sub-processors:

      1. Amazon Web Services (aws.amazon.com)

        • Location: AWS EU (Ireland) region(s)

        • Security certifications: Privacy Shield, ISO27001, SOC3

        • Use: Data storage, backups, CDN, DNS, SSL, domain management, emails

      2. Google Cloud (cloud.google.com)

        • Location: Mountain View, United States.

        • Security certifications: Privacy Shield, ISO27001, SOC3.

        • Use: Video and audio transcription, natural language processing

      3. Intercom (www.intercom.com)

        • Location: Dublin, Ireland.

        • Security certifications: Privacy Shield, SOC3.

        • Use: Subscription management, user statistics

b. UserTribe shall ensure that the same data protection obligations as set out in this DPA shall be imposed on all sub-processors and – in accordance with the Danish Act on Processing of Personal Data and the General Data Protection Regulation – remain fully liable to the Customer for the performance of sub-processors’ obligations.

c. UserTribe shall not subcontract any of its rights or obligations including using another processor under this DPA without the prior written consent of Customer.

 

 

Term & termintation

 

a. This DPA shall continue in full force and effect for so long as UserTribe is processing personal data on behalf of Customer and shall automatically terminate with the expiry or termination of the Agreement.

b. Following cancellation or termination of this DPA, UserTribe shall, at the demand of Customer, (a) return all personal data passed to UserTribe by Customer for processing, or (b) on receipt of instructions from Customer, destroy all such data. Notwithstanding the foregoing, UserTribe may retain such data where required by applicable law or reasonably necessary to prevent liability.

 

 

Choice of venue & law

 

a. This DPA shall be governed by the laws of Denmark.

b. Any dispute arising out of or in connection with this DPA, including any disputes regarding existence, validity or termination, shall be submitted to the City Court in Copenhagen if the dispute cannot be solved by good-faith negotiation between the Parties.

Copyright © 2020 UserTribe
Built with love in Copenhagen
All rights reserved.

 

Langebrogade 4
1411 Copenhagen
Denmark

 

77 Exeter Street 2604
02116 Boston, MA
USA

 

41 Luke Street
EC2A 4DP Shoreditch London
United Kingdom

 

Phone: +45 7734 8685
CVR no. 33510608

COMPANY

About Us
Press
FAQ

GET TO KNOW US

Book a demo
Business Inquiry