Featured Webinar: Harness the Power of AI: Easily Analyze Open-End Responses - November 14 at 2pm ET
Take a peek at our powerful survey features to design surveys that scale discoveries.
Explore Voxco
Need to map Voxco’s features & offerings? We can help!
Get exclusive insights into research trends and best practices from top experts! Access Voxco’s ‘State of Research Report 2024 edition’.
We’ve been avid users of the Voxco platform now for over 20 years. It gives us the flexibility to routinely enhance our survey toolkit and provides our clients with a more robust dataset and story to tell their clients.
Steve Male
VP Innovation & Strategic Partnerships, The Logit Group
Explore Regional Offices
Take a peek at our powerful survey features to design surveys that scale discoveries.
Explore Voxco
Need to map Voxco’s features & offerings? We can help!
Get exclusive insights into research trends and best practices from top experts! Access Voxco’s ‘State of Research Report 2024 edition’.
We’ve been avid users of the Voxco platform now for over 20 years. It gives us the flexibility to routinely enhance our survey toolkit and provides our clients with a more robust dataset and story to tell their clients.
Steve Male
VP Innovation & Strategic Partnerships, The Logit Group
Explore Regional Offices
Find the best survey software for you!
(Along with a checklist to compare platforms)
Take a peek at our powerful survey features to design surveys that scale discoveries.
Explore Voxco
Need to map Voxco’s features & offerings? We can help!
Find the best customer experience platform
Uncover customer pain points, analyze feedback and run successful CX programs with the best CX platform for your team.
We’ve been avid users of the Voxco platform now for over 20 years. It gives us the flexibility to routinely enhance our survey toolkit and provides our clients with a more robust dataset and story to tell their clients.
Steve Male
VP Innovation & Strategic Partnerships, The Logit Group
Explore Regional Offices
This Data Processing Addendum (this “DPA”) is attached and made part of the agreement (the “Master Agreement”) between Customer (as identified on the Order Form), including all affiliates, if any, and the Service Provider which processes Personal Data on behalf of Customer pursuant to the Master Agreement (as identified on the Order Form).
Unless otherwise stated, the terms of this DPA will apply to all processing of Personal Data in relation to the Services provided under the terms of the Master Agreement.
The purpose of this data processing addendum (“Addendum”) is to define the provisions under which Voxco undertakes to perform, on behalf of the Customer, the data processing operations, which are described below.
As part of their contractual relations, the parties shall undertake to comply with the applicable regulations regarding personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation“).
This Addendum amends and supplements the Agreement and any existing contract/terms of service/purchase order or any other document binding the two parties. The provisions of this Addendum are subject to the provisions of the Agreement, provided that, in the event of conflict, the provisions of this Addendum shall control. The Addendum is subject to the limitations of liability, and specifically the aggregate liability cap, of the Agreement.
The Addendum, except for any modification as agreed upon by both parties, shall apply for the duration or any time span linking the Customer and Voxco in a relationship of the type controller to processor, or processor to processor, or as described in Section 11 (“International Personal Data Transfers”).
Voxco is authorized to provide to the Customer the following products and services as required/applicable as described in the Agreement or other contract between the parties, of which some are subject to an applicable maintenance contract external to this Addendum:
As the processor, in relation to the Customer, Voxco undertakes to:
Voxco may engage third party sub-processors (hereinafter referred to as “sub-processor(s)“) for specific processing activities and purposes. Voxco will only engage sub-processors if(i) it determines they are capable of providing the level of protection required by applicable data protection laws; (ii) the arrangement is governed by a written contract offering a substantially similar level of protection as this Addendum; and (iii) where the sub-processor fails to fulfill it obligations under GDPR, Voxco shall remain liable to Customer for the performance of those obligations as required by GDPR.
Voxco will inform our Customers of any intended changes to the sub-processors used by Voxco, giving Customers the Voxco will inform our Customers of any intended changes to the sub-processors used by Voxco, giving Customers the opportunity to review and object to such a change.
Should Customer object to any new sub-contractor within the applicable time period, both parties shall discuss reasonable resolutions (such as stronger data protection measures) or alternatives in good faith (including non-or alternative sub-processors).
As at Jan 25, 2021, the following are potential sub-processors used by Voxco that may process Customer personal data:
NAME | POTENTIAL ACTIVITY |
SendGrid | Email Delivery North America |
Mailjet | Email Delivery Europe |
Twilio | Text Message Delivery North America |
Salesforce | Support ticket follow-up Global |
Dimension Data | Applications and data hosting provider Australia |
Rapidscale | Applications and data hosting provider USA |
Microsoft Azure | Applications and data hosting provider Europe |
IBM | Applications and data hosting provider Canada |
It is the responsibility of the Customer to provide the relevant information to the individuals who are subject of the processing activity (i.e. referred to as data subjects under GDPR) at the time their data is collected.
To the extent possible, Voxco shall assist the Customer in fulfilling its obligation to respond when data subjects wish to exercise their rights under GDPR: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be the subject of an automated individual decision (including profiling).
For the most part, Voxco provides a self-service platform that allows Customer to independently obtain and/or modify the information they need to honour respondents’ rights.
Where the data subjects submit requests directly to Voxco to exercise their rights, we will forward these without undue delay to the relevant Customer or ask the respondent to contact the Customer directly (if we cannot determine in which survey the respondent participated).
Where possible, Voxco will forward these requests by email to the person responsible for processing at the Customer or to their Data Protection Officer, if applicable
Voxco will notify the Customer, if affected, of any personal data breach no later than 48 hours after becoming aware of a personal data breach. Notification will be sent via email to the Customer contact, the person responsible for data processing at the Customer or to their Data Protection Officer, if applicable.
As a processor, Voxco will provide assistance, to the extent possible, to the Customer in the performance of data protection impact assessments or for consultation purposes before the supervisory authority. These services are provided at the expense of the Customer.
Voxco undertakes to implement the following security measures:
To the extent that personal data is transferred to Customer outside of a country with an adequacy decision in circumstances where such transfer would be prohibited by an applicable data protection law due to the absence of a transfer mechanism, the parties agree that Module 1 (controller to controller) and Module 4 (processor to controller) provisions of the Standard Contractual Clauses are incorporated by reference into this Addendum and apply in case Personal Data is transferred (including disclosed) to the Customer under such circumstances. The parties agreement to this Addendum shall be deemed as having signed the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission’s Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) and their appendixes (“Standard Contractual Clauses“).
If the Standard Contractual Clauses are applicable, the parties agree that:
Where the parties rely on an adequacy decision as a data transfer safeguard, if the adequacy decision is amended or withdrawn resulting in the inability to rely on it, the transfer of the personal data between the parties shall be conducted in accordance with the Standard Contractual Clauses approved by the European Commission, including applying any other necessary terms.
The Customer is responsible for all actions its staff performs using Voxco’s software applications and systems. In particular, the Customer is responsible for, but not limited to, the following:
Upon completion of the services related to the processing of Customer data, Voxco undertakes to provide the Customer with the necessary technical assistance so that the Customer may, where applicable, transfer the data stored on Voxco’s servers back to its own servers. Furthermore, if the Customer so wishes, Voxco will provide assistance to destroy any personal data remaining on Voxco’s servers.
Upon termination of any contract between the two parties, any Customer data that has not previously been deleted and remains on Voxco’s servers may be destroyed within 30 days of the termination of the contract.
Questions or notices about data protection may also be directed to Voxco by email to privacy@voxco.com.
Where Customer is a “business” as defined and covered by the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended (“CCPA”), or a service provider to such a business, the following section applies: Voxco shall be a service provider to Customer under the CCPA. Voxco will not: (i) sell, or share for cross-contextual behavioral advertising, personal data; (ii) retain, use, or disclose personal data for any purpose other than for the specific purpose of performing the services specified in the Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than providing the services specified in the Agreement; (iii) retain, use, or disclose the personal data outside of the direct business relationship between Voxco and Customer; or (iv) combine personal data from Customer with personal data that Voxco receives from another customer, or collects from its own interactions with an individual. Voxco acknowledges and agrees that it understands the requirements of the CCPA for service providers and will comply with them as applicable.
Voxco provides the Customer with the necessary documentation for demonstrating compliance with all its obligations and for allowing the Customer or any other auditor it has authorized to conduct audits, including inspections, and for reasonably contributing to such audits. Such audits shall be subject to reasonable advance written notice, occur not more than once per calendar year, and at Customer’s cost.
No alteration, amendment, or modification of this Addendum will be valid unless in writing and signed by an authorized representative of both parties. Notwithstanding the foregoing, Voxco may, subject to thirty (30) days’ written notice to Customer, make any reasonable variations to this Addendum necessary to address the requirements of any applicable data protection law, provided that Customer has an opportunity to object to the amendment.
Nothing expressed or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
SCHEDULE 1
Data Processing Details
For the purposes of the Addendum and Schedule 2, the parties set out below a description of the Personal Data being processed under the Agreement.
Subject Matter of the Processing | Vendor’s provision of the Services to Company. |
Nature and purpose of Processing | The collection and storage of Personal Data pursuant to providing the Services to Company. |
Types of Personal Data | Personal Data that Company in its discretion provides for the Services or Vendor is directed to collect. |
Sensitive Personal Data and applied restrictions | Sensitive Personal Data that Company in its discretion provides for the Services or Vendor is directed to collect. |
Categories of Data Subject | Data Subjects may include any persons (including without limitation employees, customers, or suppliers) about whom Personal Data is provided to Vendor for the Services by, or at the direction of, Company. |
Duration of Processing | For the duration of the Agreement, or until the processing is no longer necessary for the purposes. |
List of Subprocessors | See Section 5 of the Addendum. |
SCHEDULE 2
Standard Contractual Clauses
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of France.
ANNEX I to Schedule 2
Data exporter(s):
Name: Voxco as specified on the Agreement
Address: As specified on the Agreement
Contact person’s name, position and contact details: As specified on the Agreement or available on Privacy Policy
Activities relevant to the data transferred under these Clauses: data exporter will transfer Personal Data to the data importer as required for the provision of Services by the data importer under the Agreement and as set out in the DPA.
Signature and date: please refer to signature and date in the Agreement.
Role (controller/processor): Controller or Processor, as appropriate
Data importer(s):
Name: Customer as specified on the Agreement
Address: As specified on the Agreement
Contact person’s name, position and contact details: As specified on the Agreement or available on Privacy Policy.
Activities relevant to the data transferred under these Clauses: data importer will process personal data as required for the provision of Services under the Agreement and as set out in the Agreement.
Signature and date: signature and date in the Agreement
Role (controller/processor): Controller or Processor, as appropriate
Categories of data subjects whose personal data is transferred
See Schedule 1 to the Addendum
Categories of personal data transferred
See Schedule 1 to the Addendum
Sensitive data transferred (if applicable) and applied restrictions or safeguards
See Schedule 1 to the Addendum
Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfers will occur from time to time as required during the course of the performance of the Services under the Agreement.
Nature of the processing
See Schedule 1 to the Addendum
Purpose(s) of the data transfer and further processing
See Schedule 1 to the Addendum
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Schedule 1 to the Addendum
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Schedule 1 to the Addendum
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL
Measures equivalent to those provided in clause 10 of the Addendum
ANNEX III – LIST OF SUB-PROCESSORS
See Schedule 1 to the Addendum