1. Purpose and Scope

This Data Processing Addendum (“Addendum”) forms part of the principal services agreement (“Principal Agreement”) between Controller and Processor and sets out the obligations of the parties with respect to the processing of personal data as required by Article 28 GDPR and related legislation.

All capitalised terms not defined herein have the meaning given in the Principal Agreement or in the GDPR.

2. Subject Matter, Duration, Nature, and Purpose

1. Subject Matter: Processing of personal data to enable survey creation, display, response collection, analytics, and related customer-experience functions provided by Zigpoll.
2. Duration: For the term of the Principal Agreement and until deletion or return of data pursuant to § 11.
3. Nature and Purpose: Collection, storage, analysis, export, and reporting of survey responses and associated metadata (including contact details, online identifiers, transaction references, timestamps, and engagement metrics) for purposes of feedback, marketing analysis, and customer-experience optimisation.
4. Categories of Data Subjects: End-users, customers, and website visitors of Controller.
5. Categories of Personal Data: Order-related metadata, usage data, device or browser identifiers, and survey responses.
6. Special Categories of Data: None intentionally processed.

3. Processing on Documented Instructions

1. Processor shall process personal data only on documented instructions from Controller.
2. Persons authorised to issue and receive such instructions are identified in Schedule B.
3. Oral instructions must be confirmed in writing (email suffices) within 24 hours and archived by both parties.
4. Processor shall immediately inform Controller if, in its opinion, an instruction infringes applicable data-protection law.

4. Confidentiality

Processor shall ensure that all authorised personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy. Written records of such undertakings shall be retained and made available to Controller upon request.

5. Technical and Organisational Measures (TOMs)

Processor shall implement the technical and organisational measures described in Schedule C, ensuring a level of security appropriate to the risk as required by Article 32 GDPR. Processor shall provide evidence of implementation upon reasonable request or audit.

6. Sub-Processing

• Controller grants Processor a general authorisation to engage sub-processors for the performance of the Services.
• The current list of sub-processors is attached in Schedule A.
• Processor shall notify Controller in writing at least 30 days before adding or replacing any sub-processor. Controller may object on reasonable data-protection grounds within 14 days.
• Processor shall ensure each sub-processor is bound by equivalent obligations and safeguards.

7. Data Subject Rights

Processor shall assist Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to data-subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).

8. Personal Data Breach Notification

In the event of a personal data breach, Processor shall without undue delay and, where feasible, not later than 48 hours after becoming aware, notify Controller.

The notice shall include:

• contact details of a data-protection contact point;
• description of the nature of the breach (categories and approximate number of data subjects and records concerned);
• likely consequences; and
• measures taken or proposed to remedy or mitigate the breach.

If all information cannot be provided simultaneously, the Processor shall supply it incrementally without undue delay.

9. Audit and Compliance

• Processor shall make available all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller once per calendar year or following a substantiated incident.
• Audits shall occur with 60 days’ notice and at reasonable times. Remote electronic review satisfies this requirement.

10. Return and Deletion of Data

Upon termination of the Services, Processor shall, at Controller’s choice, delete or return all personal data and delete all existing copies within 10 business days, unless Union or Member State law requires retention.

11. Liability and Governing Law

This Addendum is governed by the laws of the State of New York, USA, except to the extent mandatory provisions of EU data-protection law prevail. Liability provisions of the Principal Agreement apply equally to this Addendum.

12. Notices

All notices and communications under this Addendum must be in writing (email suffices) and addressed to the contacts listed in Schedule B.

Schedules