Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the Terms of Service and Privacy Policy between SurveyNoodle ("Processor") and the Customer ("Controller"), collectively referred to as the Parties.

By using SurveyNoodle, the Customer agrees to the terms of this DPA when processing Personal Data under EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

1. Definitions

• "Data Controller": The entity that determines the purposes and means of processing Personal Data.

• "Data Processor": The entity that processes Personal Data on behalf of the Data Controller.

• "Personal Data": Any information relating to an identified or identifiable natural person.

• "Processing": Any operation performed on Personal Data, including collection, storage, alteration, or deletion.

• "Subprocessor": Any third party engaged by the Processor to process Personal Data.

• "Data Subject": The individual whose Personal Data is processed.

• "GDPR": General Data Protection Regulation (Regulation (EU) 2016/679).

2. Scope and Roles

• SurveyNoodle acts as a Data Processor when processing survey responses on behalf of Customers.

• The Customer acts as a Data Controller when collecting Personal Data through surveys.

• This agreement governs the Processing of Personal Data submitted through the SurveyNoodle platform.

3. Obligations of the Data Processor (SurveyNoodle)

SurveyNoodle agrees to:

1. Process Personal Data only under the Customer’s documented instructions.

2. Not use Personal Data for any purpose other than providing the service.

3. Implement technical and organizational security measures to protect Personal Data.

4. Ensure confidentiality by restricting access to Personal Data to authorized personnel only.

5. Assist the Customer in responding to Data Subject rights requests, including access, correction, deletion, and data portability.

6. Notify the Customer of any data breaches affecting Personal Data within 72 hours of becoming aware.

7. Delete or return all Personal Data upon termination of the agreement, unless retention is required by law.

4. Obligations of the Data Controller (Customer)

The Customer agrees to:

1. Obtain proper consent from Data Subjects before collecting Personal Data.

2. Ensure Personal Data collected is necessary, lawful, and proportionate.

3. Provide privacy notices to Data Subjects explaining data collection and usage.

4. Ensure any Personal Data shared with SurveyNoodle complies with GDPR.

5. Use the tools provided by SurveyNoodle to fulfill Data Subject rights requests.

6. Implement security measures to protect Personal Data before sharing it with SurveyNoodle.

5. Security Measures

SurveyNoodle shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data at rest and in transit.

• Access controls to restrict unauthorized access.

• Regular security audits and vulnerability assessments.

• Incident response procedures for data breaches.

6. Subprocessors

• SurveyNoodle may engage third-party Subprocessors for data hosting, storage, and other essential functions.

• A list of current Subprocessors is available upon request.

• SurveyNoodle ensures that Subprocessors comply with GDPR data protection obligations.

7. Data Transfers

• SurveyNoodle stores and processes Personal Data within GDPR-compliant regions.

• If data is transferred outside the European Economic Area (EEA), SurveyNoodle will ensure appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs)

  • Data Privacy Framework (DPF) compliance

  • Encryption measures to protect transferred data

8. Data Subject Rights & Assistance

SurveyNoodle shall assist the Customer in fulfilling GDPR Data Subject requests, including:

• Access, rectification, and deletion of data

• Objection to processing

• Data portability

• Restriction of processing

Requests must be submitted via [SurveyNoodle’s support email].

9. Data Breach Notification

• In case of a data breach, SurveyNoodle shall:

  • Notify the Customer within 72 hours.

  • Provide details about the incident and mitigation measures.

  • Assist the Customer in complying with legal reporting obligations.

10. Termination & Data Retention

• Upon termination of the Customer's account, SurveyNoodle will delete all survey responses unless legally required to retain them.

• The Customer may request data deletion before termination via the SurveyNoodle platform.

11. Liability & Indemnification

• SurveyNoodle’s liability is limited to breaches caused by its own failure to comply with GDPR obligations.

• The Customer assumes responsibility for ensuring survey data collection is lawful and compliant with GDPR.

12. Governing Law

• This DPA shall be governed by and construed in accordance with EU data protection laws.

• Disputes shall be resolved through negotiation, and if unresolved, via arbitration or competent legal authorities.

13. Contact Information

For GDPR inquiries or data processing concerns, contact:
📧 support@surveynoodle.com
📍 SurveyNoodle, PO BOX 205, Bayview ID 83803

Agreement Acceptance

By continuing to use SurveyNoodle, the Customer acknowledges and agrees to this DPA.