See how 185 customer marketers rated their tech stacks in the 2025 CMA Landscape Report.
This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is between UserEvidence, Inc. (“UserEvidence”) and __________________ (“Client”). This DPA governs UserEvidence’s Processing of Client Personal Data where such Processing is subject to the Data Protection Laws. This DPA shall be effective from the date it has been signed by both parties until the Master Terms and Conditions or other written or electronic agreement between the parties (“Agreement”) terminates or expires.
1. Definitions
1.1. For the purposes of this DPA:
1.1.1. “CCPA” means the California Consumer Privacy Act and its implementing regulations, including as amended by the California Privacy Rights Act, and any other applicable California Data Protection Laws;
1.1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data;
1.1.3. “Client Personal Data” means the Personal Data Processed by UserEvidence on behalf of Client as described in Schedule 1 to this DPA;
1.1.4. “Data Protection Laws” means all laws relating to data protection and privacy applicable to UserEvidence’s Processing of Client Personal Data, including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the UK GDPR, and applicable privacy and data protection laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;
1.1.5. “Data Subjects” means the individuals identified in Schedule 1;
1.1.6. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;
1.1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”);
1.1.8. “Personal Data”, “Personal Data Breach” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;
1.1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller;
1.1.10. “Sell” has the meaning given in the Data Protection Laws; and
1.1.11. “UK SCCs” means, where the UK GDPR applies, the International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner’s Office of the United Kingdom and available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/, which are hereby incorporated as an amendment to the EU SCCs and updated to reflect the details set forth herein.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Processing of Client Personal Data
2.1. The parties acknowledge and agree that Client is the Controller or Processor of Client Personal Data and UserEvidence is a Processor of Client Personal Data. UserEvidence will only Process Client Personal Data as a Processor on behalf of and in accordance with Client’s prior written instructions, including any instructions provided through Client’s use of the Service. UserEvidence is hereby instructed to Process Client Personal Data to the extent necessary to provide the Service as set forth in the Agreement. UserEvidence shall not (1) retain, use, or disclose Client Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; or (2) Sell Client Personal Data. UserEvidence certifies that it understands and will comply with the restrictions contained in this Section 2.1.
2.2. UserEvidence will immediately inform Client if, in its opinion, an instruction from Client infringes the Data Protection Laws.
2.3. The details of UserEvidence’s Processing of Client Personal Data are described in Schedule 1.
2.4. If applicable laws preclude UserEvidence from complying with Client’s instructions, UserEvidence will inform Client of its inability to comply with the instructions, to the extent permitted by law.
2.5. UserEvidence will immediately inform Client if, in its opinion, an instruction from Client infringes the Data Protection Laws.
2.6. Each of Client and UserEvidence will comply with their respective obligations under the Data Protection Laws.
3. Cross-Board Transfers of Personal Data
3.1. With respect to Client Personal Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Client to UserEvidence, the parties agree to comply with the general clauses and, where Client is a Controller of Client Personal Data, with “Module Two” (Controller to Processor) and where Client is a Processor of Client Personal Data with “Module Three” (Processor to Processor) of the EU SCCs, which are incorporated herein by reference.
3.2. For purposes of the EU SCCs the parties agree that:
3.2.1. Client shall act and comply with the obligations, and shall have the rights, of the “data exporter” under the EU SCCs, and UserEvidence shall act and comply with the obligations of the “data importer” under the EU SCCs;
3.2.2. In Clause 7, the optional docking clause will not apply;
3.2.3. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 5.1 of this DPA;
3.2.4. In Clause 11, the optional language will not apply;
3.2.5. For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland;
3.2.6. For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
3.2.7. For the purposes of Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Client is a Controller or Processor, and UserEvidence is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;
3.2.8. For the purposes of Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes UserEvidence’s Processing of Client Personal Data; (ii) the frequency of the transfer is continuous (for as long as Client uses the Services); (iii) Client Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs, and the UK SCCs as applicable, and this DPA; (iv) UserEvidence uses sub-Processors to support the provision of the Services. A list of sub-Processors and the nature of the Processing activities can be found in Schedule 3.
3.2.9. For the purposes of Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Client to UserEvidence. If Client does not communicate a competent supervisory authority to UserEvidence, the competent supervisory authority shall be the Irish Data Protection Commission.
3.2.10. For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Client Personal Data as described in Schedule 2 or as otherwise made reasonably available by Client to UserEvidence.
3.3. If the transfer of Client Personal Data is subject to the Swiss Federal Act on Data Protection, the following provisions apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Client Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Client Personal Data is subject to the Swiss Federal Act on Data Protection.
3.4. With respect to transfers from Client to UserEvidence of Client Personal Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the purposes of the UK SCCs: (i) Client shall act as and comply with the obligations of the “data exporter”, and UserEvidence shall act as and comply with the obligations of the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for the purposes the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this DPA; and (vi) for the purposes of the UK SCCs, the security measures are as described in Schedule 2 or as otherwise made reasonably available by data importer to the data exporter. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR.
4. Confidentiality and Security
4.1. UserEvidence will require UserEvidence’s personnel who access Client Personal Data to commit to protect the confidentiality of Client Personal Data.
4.2. UserEvidence will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data.
4.3. To the extent required by Data Protection Laws, UserEvidence will provide Client with reasonable assistance as necessary for the fulfilment of Client’s obligations under Data Protection Laws to maintain the security of Client Personal Data.
5. Sub-Processing
5.1. Client agrees that UserEvidence may engage sub-Processors to Process Client Personal Data on Client’s behalf. The agreed list of sub-Processors currently engaged by UserEvidence and authorized by Client are available in Schedule 3 (the “Authorized Sub-Processors”). UserEvidence will inform Client of any intended changes concerning the addition or replacement of any Authorized Sub-Processors and Client will have an opportunity to object to such changes on reasonable grounds within seven days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
5.2. UserEvidence will impose on its Authorized Sub-Processors substantially the same obligations that apply to UserEvidence under this DPA. Where any of its Authorized Sub-Processors fails to fulfil its data protection obligations, UserEvidence will be liable to Client for the performance of its Authorized Sub-Processors’ obligations as if UserEvidence had performed the Authorized Sub-Processor’s obligations itself.
5.3. The parties agree that the copies of the Authorized Sub-Processor agreements that must be provided by UserEvidence to Client pursuant to Clause 9(c) of the EU SCCs and the UK SCCs, if applicable, may have commercial information or clauses unrelated to the EU or UK SCCs removed by UserEvidence beforehand; and, that such copies will be provided by UserEvidence, in a manner to be determined in its discretion, only upon Client’s written request.
6. Data Subject Rights
Client is responsible for responding to any Data Subject requests relating to Client Personal Data (“Requests”). If UserEvidence receives any Requests during the term, UserEvidence will advise the Data Subject to submit the request directly to Client or the appropriate Controller. If UserEvidence can reasonably determine that it has received a Request from one of Client’s survey respondents UserEvidence will forward the Request to Client. UserEvidence will provide Client with self-service functionality that allows Client to modify or delete surveys and survey responses and otherwise reasonably assist Client’s efforts to respond to Requests, including by deleting Client Personal Data in response to Client’s written instructions relating to a Request sent to support@userevidence.com or privacy@userevidence.com.
7. Personal Data Breaches
UserEvidence will notify Client without undue delay after it becomes aware of any Personal Data Breach affecting any Client Personal Data. At Client’s request, UserEvidence will reasonably assist Client’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Client is required to do so under the Data Protection Laws. Client is solely responsible for complying with Personal Data Breach notification requirements applicable to Client and fulfilling any third-party notification obligations related to any Personal Data Breach. UserEvidence’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by UserEvidence of any fault or liability with respect to the Personal Data Breach.
8. Data Protection Impact Assessment; Prior Consultation
UserEvidence will reasonably assist Client in conducting data protection impact assessments and consulting with data protection authorities, if Client is required to engage in such activities under applicable Data Protection Laws, and solely to the extent that such assistance is necessary and relates to the Processing by UserEvidence of Client Personal Data, taking into account the nature of the Processing and the information available to UserEvidence.
9. Deletion of Client Personal Data
Client instructs UserEvidence to delete Client Personal Data within 30 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs the UK SCCs, if applicable, shall be provided only upon Client’s written request. Notwithstanding the foregoing, UserEvidence may retain Client Personal Data to the extent and for the period required by applicable laws provided that UserEvidence maintains the confidentiality of all such Client Personal Data and Processes such Client Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
10. Audits
10.1. Client may audit UserEvidence’s compliance with its obligations under this DPA up to once per year. In addition, Client may perform more frequent audits (including inspections) in the event: (1) UserEvidence suffers a Personal Data Breach affecting Client Personal Data; (2) Client has genuine, documented concerns regarding UserEvidence’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Client Personal Data. UserEvidence will contribute to such audits by providing Client or Client’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.
10.2. To request an audit, Client must submit a detailed proposed audit plan to privacy@userevidence.com at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Client intends to appoint to perform the audit. UserEvidence will review the proposed audit plan and provide Client with any concerns or questions (for example, UserEvidence may object to the third party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise UserEvidence’s confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date. Nothing in this Section 10 shall require UserEvidence to breach any duties of confidentiality.
10.3. UserEvidence may object to third party auditors that are, in UserEvidence’s reasonable opinion, not suitably qualified or independent, a competitor of UserEvidence, or otherwise manifestly unsuitable. Such objection by UserEvidence will require Client to appoint another auditor or conduct the audit itself.
10.4. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on UserEvidence’s systems that Process Client Personal Data (“Audit Reports”) within twelve (12) months of Client’s audit request and UserEvidence confirms there are no known material changes in the controls audited, Client agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the report.
10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and UserEvidence’s health and safety or other relevant policies and may not unreasonably interfere with UserEvidence business activities.
10.6. Any audits are at Client’s expense and Client will promptly disclose to UserEvidence any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.
10.7. The parties agree that the audits described in Clause 8.9 of the EU SCCs and the UK SCCs, if applicable, shall be performed in accordance with this Section 10.
11. Analytics Data
Client acknowledges and agrees that UserEvidence may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Client or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for UserEvidence’s other legitimate business purposes.
12. Liability
12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
12.2. Client acknowledges that UserEvidence is reliant on Client for direction as to the extent to which UserEvidence is entitled to Process Client Personal Data on behalf of Client in performance of the Service. Consequently, UserEvidence will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by UserEvidence in compliance with Client’s instructions or (b) from Client’s failure to comply with its obligations under the Data Protection Laws.
13. General Provisions
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the EU or UK SCCs, the EU OR UK SCCs will prevail.
SCHEDULE 1
Details of Processing
1. Categories of Data Subjects. This DPA applies to the Processing of Client Personal Data relating to survey respondents.
2. Types of Personal Data. The extent of Client Personal Data Processed by UserEvidence is determined and controlled by Client in its sole discretion through its creation of survey questions but generally includes names, email addresses, and any other Personal Data that may be submitted in connection with general business, product feedback, or customer satisfaction survey responses sent through the Service.
3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Client Personal Data by UserEvidence is the provision of the Service to Client. Client Personal Data will be subject to those Processing activities which UserEvidence needs to perform in order to provide the Service pursuant to the Agreement.
4. Purpose of the Processing. Client Personal Data will be Processed by UserEvidence for purposes of providing the Service as set out in the Agreement.
5. Duration of the Processing. Client Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.
SCHEDULE 2
UserEvidence Security Statement
Last updated: February 2024
UserEvidence values the trust that our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices detailed below.
Physical Security
UserEvidence’s information systems and technical infrastructure are hosted at an Amazon Web Services (AWS) data center located in Northern Virginia, USA. The datacenter is a world-class, SOC 2 accredited data center. Physical security controls at AWS’ data centers include 24×7 monitoring, cameras, visitor logs, and entry requirements.
Certifications and Attestations
UserEvidence has achieved the following certifications and attestations that apply to the UserEvidence Service:
In addition, our hosting/infrastructure provider, AWS, has achieved the following relevant certifications and attestations that apply to the UserEvidence service:
ISO 9001 (Global Quality Standard) – https://d1.awsstatic.com/certifications/iso_9001_certification.pdf
ISO 27001 (Security Management Controls) – https://d1.awsstatic.com/certifications/iso_27001_global_certification.pdf
ISO 27017 (Cloud Specific Controls) – https://d1.awsstatic.com/certifications/iso_27017_certification.pdf
ISO 27018 (Personal Data Protection) – https://d1.awsstatic.com/certifications/iso_27018_certification.pdf
AICPA SOC1 (Audit Controls Report)
AICPA SOC2 (Security, Availability & Confidentiality Report)
AICPA SOC3 (General Controls Report) – https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf
Cloud Security Alliance Controls Level 2 – https://d1.awsstatic.com/certifications/csa_star_certification.pdf
Data Retention
We retain your customer data while you are an active customer of our service. After your subscription expires, we purge all your customer data from our systems within 30 days.
Access Control
Access to UserEvidence’s technology resources is only permitted through secure connectivity. Production data is only accessible via secure keys and multi-factor authentication where applicable. UserEvidence grants access on a need to know basis of least privilege rules, reviews permissions quarterly, and revokes access immediately after employee termination.
Security Policies
UserEvidence maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training such as Secure Coding, and job specific security and skills development and/or privacy law training for key job functions. The training schedule is designed to adhere to all specifications and regulations applicable to UserEvidence.
Personnel
UserEvidence conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, UserEvidence communicates its information security policies to all personnel (who must acknowledge this) and requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.
Vulnerability Management and Penetration Tests
UserEvidence maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.
We also conduct regular internal and external penetration tests and remediate according to severity for any results found.
Encryption
We encrypt your data in transit using secure TLS cryptographic protocols.
Development
Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in secure web application development practices upon hire and annually.
Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
Asset Management
UserEvidence maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.
Information Security Incident Management
UserEvidence maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed regularly and tested bi-annually.
Breach Notification
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if UserEvidence learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Information Security Aspects of Business Continuity Management
UserEvidence’s databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability. Furthermore, UserEvidence maintains a formal Business Continuity Plan (BCP). The BCP is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.
Your Responsibilities
Keeping your data secure also requires that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.
Logging and Monitoring
Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized UserEvidence personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.
SCHEDULE 3
Authorised Sub-Processors
Sub-Processor | Nature of Processing | Location |
Amazon Web Services (AWS) via Heroku | Hosting/infrastructure | US |
SendGrid | Email delivery | US |
Clearbit | Contact enrichment | US |
ZeroBounce | Email cleaning | US |
