QUESTBACK GENERAL TERMS AND CONDITIONS FOR ONLINE SERVICES (Trial Account)

These Questback General Terms & Conditions for Online services (“GTC-O”) describe your rights and responsibilities when you access and use Questback’s Online Services (hereafter “Online Service(s)”) for a limited period in time for testing purposes. By accepting these GTC-O, you (hereafter “you” or “Customer”) enter into a service agreement (hereafter ”Agreement”) with Questback AS, Bogstadveien 54, 0366 Oslo, Norway (hereafter referred to as “we” or “Questback”).

If you subscribe on behalf of any company, e.g. your employer, you guarantee that you are duly authorized to enter into this Agreement on behalf of such company.

We provide our Services exclusively to legal persons or individuals who have reached the age of 16. If you are younger than 16 years, we reserve the right to cease the provision of our Services at any time without notice.

1. License grant and limitations

The Customer is granted a non-exclusive, non-transferable and non-assignable right to access and use the Online Services in accordance with the license metrics below and the terms set forth in the Agreement during Trial Period for testing purposes only.

The Online Services shall be accessed only by the authorized number of Users solely for the benefit of Customer as defined in the registration.

The Online Services shall be accessed according to the agreed License Metrics. Customer may at any time write or email Questback to change any factor affecting the License Metrics or to purchase a full license, subject to then-applicable fees.

Provision of the Online Service is granted subject to the following limitations (hereafter ”License Metrics”):

Online Service: Questback Essentials
Number of admin users who have administration rights to the test account: 1
Number of users who have the right to access the software: 1
Maximum number of quests per account during Trial Period: 1000
Maximum number of respondents per account: 1000
Maximum number of invitations per account: 1000
Maximum number of responses per quest: 100
Maximum number of invitations per quest: 100
Maximum number of reports per quest: 1
Trial Period: 14 days after registration

Questback grants no access or usage rights beyond those specifically listed in the License Metrics and the Agreement. Under no circumstances can the Customer lease, sell, or transfer any of its rights under the Agreement, or in other ways directly or indirectly make available to or charge a third party for any part of the Online Services. If the Customer has used, or allowed use of, the Online Services beyond the agreed License Metrics or other limits stated in this Agreement, or transferred its rights, this shall entitle Questback to invoice the additional usage, including retroactively.

2. Provision and Availability of the Online Services

Questback shall provide the Online Services with the functionality available in its most recent release.

Questback reserves the right to make changes to the Online Services, including the right to change, improve or remove parts of the functionality of the Online Services. Questback will notify the

Customer in advance in a timely manner of such changes.

Questback reserves the right to perform upgrades and maintenance of the Online Services (including version changes). This may lead to the Online Services being temporarily unavailable to the Customer and respondents.

Questback may monitor the Customer’s use of the Online Services for the purpose of anonymous statistics, and for support, development, prevention and protection against use outside the scope of the Agreement, and unlawful use. For the avoidance of doubt, no personal data will be processed under this section.

Questback reserves the right to inspect, block or delete content or emails sent by use of the Online Services, suspected of containing computer virus or malignant code or suspected of being spam, while doing so taking into account the Customer’s justified interests.

3. Back-ups

Customer is solely responsible for performing backups of, and restore if necessary, its data. Data storage, security backups, and restoration of data deleted by the users themselves is not included in the service.

4. Definitions

“Trial Period” is the period defined as such in these GTC-O.

“Agreement” refers to this GTC-O, and other supplement(s) or amendment(s) collectively.

“Customer” refers to the individual or legal entity identified as Customer in these GTC-O.

“License Metric” refers to the limitations within which the Customer has access to the Online Services listed in these GTC-O. All License Metrics relate to the total use for Customer.

“Online Services” refers to the software products listed in these GTC-O, to which the Customer has access within the license grant.

“Party”, and “Parties” refers to Questback and Customer, individually or jointly

“Questback” refers to the entity in the Questback group identified in these GTC-O.

“Respondents” refers to individuals in or outside the Territory that are invited to respond to surveys, or to make part of panels or communities, as set up by Customer using the Online Services.

“Territory” refers to the countries, listed in these GTC-O, where Customer may use the Online Services. The Territory does not limit the Respondent’s possibility to provide input from any location.

“User” refers to every individual employee or on-site contractor that has access to the Online Services.

5. Data Protection

Whenever you are using the Service to create, conduct and evaluate surveys and invite Respondents you will be the “Controller” of all processed personal data relating to your Respondents and other natural persons in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) and other applicable data protection legislation.

Questback will process all personal data related to your account on your behalf and will be the “Processor” according to the GDPR.

Being the Controller, you are exclusively responsible to process all personal data in compliance with all applicable data protection regulation, e.g. to determine the purpose, legal basis for data processing, to provide statutory information to data subjects and to service data subject rights. However, Questback will help you to fulfil some of these legal requirements, e.g. by providing notices to Respondents on your behalf.

Article 28 GDPR requires you and Questback to enter into a separate data processing agreement (hereafter “DPA”) which will govern Questback’s processing of personal data on behalf of you being the Controller. By accepting these GTC-O you agree to incorporate the attached data processing agreement in Appendix A (hereafter “DPA”) by reference and adhere to the provisions set forth therein.

In case of inconsistency between the provisions in the GTC-O and the DPA, the latter shall take precedence over the GTC-O, while the GTC-O shall take precedence over any other Supplements, amendments or other documents with reference to this GTC-O.

6. Term of the Agreement

This Agreement shall commence on the date of registration, and shall automatically expire without further notice 14 days after the registration process has been completed successfully.

7. Termination

Either Party may terminate the Agreement or annual license for any Online Service in case of material breach of the other Party’s obligations in this Agreement with immediate effect.

Questback may terminate the Agreement immediately for any violation by Customer of Questback’ intellectual property rights, or for use of the Online Services in violation of any applicable laws or regulations.

Obligations in the Agreement that by their nature are continuing will survive termination or expiration.

Prior to the effective date of expiration or termination of the Agreement, the Customer is responsible for the deletion of all data and content collected by the Users, personal data in particular, from the Customer’s assigned space in the Questback database. Upon Customer’s request, Questback can assist with the deletion from the database against a fee to be agreed between the parties.

8. Rights and ownership

This Agreement provides a subscription to the standard Online Services and does not provide rights or ownership to any data, methodology, information, data, documents, papers or other material provided by Questback to Customer.

Copyright notices and other proprietary rights notices in the Online Services shall not be deleted or modified. The Source code from which the Online Services object code is derived will not be provided and is a trade secret of Questback to which access is not authorized. Neither Customer nor any User shall reverse engineer, reverse assemble or decompile the Online Services or in any way attempt to recreate the Source Code.

All trademarks related to the Online Services contained in the Material provided by Questback to Customer are trademarks of Questback and/or its licensors.

Content entered into or distributed from the Online Services by or on behalf of Customer, remain the property of the Customer.

Questback may use anonymized or aggregated data for the purpose of anonymous statistics, benchmarking, recommendations, software improvement, machine learning and analysis during and after termination of the Agreement. For the avoidance of doubt, no personal data will be processed under this section.

9. Customer’s Duties, Warranties and Responsibilities

The Customer is at all times under obligation to comply with all applicable laws and regulations regarding without limitation: security, privacy, direct marketing and mass distribution.

Customer is responsible for informing all parties authorized to access or use the Online Services of the relevant terms of the Agreement and any related user documentation and be responsible for their adherence to such terms.

The Customer is directly responsible for all data and other content the Customer enters into, collects and/or distributes via any of the Online Services. The Customer warrants that the content will not infringe any applicable laws, regulations or third-party rights (including Intellectual Property Rights) or include material which is in breach with applicable security or privacy regulations, or regarded as offensive or defamatory under applicable law. It is Customers’ responsibility to ensure that any files downloaded are checked in accordance with their own file security guidelines and requirements. Any data content the Customer uses or distributes via the Online Services must be accurate, and comply with all applicable laws, rules and regulations.

The Customer hereby indemnifies Questback against all claims, demands, costs (including reasonable legal costs) expenses, losses and liabilities incurred by Questback as a result of any action or claim that content collected, stored and distributed by Customer through the Online Services is illegal or inappropriate, or was collected, stored, or distributed in violation of applicable law, or that such content infringes third party Intellectual Property Rights. This section shall survive termination of the Agreement.

10. Limited warranty

Questback warrants that it has the right to license the Online Services to Customer. The exclusive remedy for breach of this warranty is set forth in sections 10, 11 and 12.

Questback warrants that the Online Services will substantially conform to its user documentation including any updates thereto. If it does not, at Questback’s option, Questback will as its exclusive remedy for breach of this warranty either make it conform, replace it with conforming services, or terminate the license and refund the relevant portion of the license fees for the relevant Online Services for the current period.

Questback disclaims all other warranties and conditions, express or implied, including without limitation any implied warranties of merchantability, satisfactory quality and fitness for a particular purpose, or arising as a result of custom or usage in the trade or by a course of dealing. Without limiting the generality of the foregoing, Questback does not warrant or represent that use of the Online Services will result in compliance, fulfilment or conformity with the laws, rules, regulations, requirements or guidelines of any governmental agency. Questback’s licensors provide Online Services “as is”.

11. Liability

Each Party’s liability in relation to the subject matter of this Agreement is limited to direct losses suffered by the Party, and caused by the other Party’s breach of obligations under this Agreement.

With exception for liability arising from fraudulent misrepresentation or other fraud, gross negligence or wilful misconduct, breach of obligations under section 12 (indemnification) or from personal injury or physical damage, neither Party shall be liable for special, incidental, indirect or consequential damages including but not limited to loss of profits and loss of data, however caused and under any theory of liability and whether or not the Party has been advised of the possibility of such loss.

Under no circumstances will Questback be liable for punitive damages arising in contract or tort.

Each Party’s liability in relation to this Agreement, including any indemnities and penalties, shall not, under any circumstances, exceed the license fees paid by the Customer under this Agreement, excluding any value added tax.

Questback is not in control of the content collected, stored and distributed by Customer through the Online Services, and expressly disclaims any responsibility or liability for the content distributed, stored and/or collected through use of the Online Services, or the results generated.

This section 11 shall survive termination of the Agreement.

12. Indemnification

If any claim alleging that the Online Services infringe any copyright, patent, trade secret or other intellectual property rights belonging to a third party is made against the Customer, the Customer agrees to promptly notify Questback in writing, allow Questback to conduct and control the litigation or settlement of such claim, and cooperate with Questback in the investigation, defence, and/or settlement thereof. Subject to such prompt notification, Questback shall indemnify the Customer by paying any settlement approved by Questback, or any judgment, costs, or legal fees finally awarded against the Customer for such claim. Customer may participate at Customer’s own expense.

This indemnification obligation shall not apply to the extent the claim is based on or is a result of a combination of the Online Services with other software or any modification to the Online Services if such claim would not have been made but for the combination or modification or to the extend the claim relates to content collected, stored and distributed by Customer through the Online Services.

If such a claim is made or, in Questback’s opinion, is likely to be made, Questback, at its discretion, may modify the Online Services, obtain rights for the Customer to continue using the Online Services, or terminate the license for the Online Services product at issue and refund the relevant portion of the current license fees paid by Customer. Customer agrees to abide by Questback’s decision and, if required, cease using the Online Services.

If any claim is made alleging that the Customer’s use of the Online Services is unlawful or infringes any intellectual property rights belonging to a third party, Customer shall defend, hold harmless and indemnify Questback.

This section 12 shall survive termination of the Agreement.

13. Complete agreement

The Agreement constitutes the entire agreement between the parties and supersedes all prior agreements or proposals concerning its subject matter. No other terms and conditions of the Customer will be deemed agreed even if Questback fails to explicitly reject them. Any modifications to this Agreement must be in writing, signed by both parties, and specifically reference the Agreement. Obligations in the Agreement that by their nature are continuing survive termination or expiration of the Agreement.

14. Injunctive Relief

Breach of Questback’s or Questback’s licensors’ intellectual property rights will lead to damages not adequately remedied by an award of money; therefore, Questback may protect those intellectual property rights through injunctive relief according to applicable law.

15. Assignment

Customer may not assign the Agreement or any of its rights or obligations hereunder without Questback’ written permission, which permission will not be unreasonably withheld.

For the purpose of this Agreement, the Parties agree that change of ownership or change of control is not regarded as Assignment or transfer.

16. Choice of law and legal venue

The Agreement shall be governed by the laws of Norway with the exclusion of the conflict of laws provisions and the Convention on Contracts for the International Sale of Goods. The parties hereby submit to the exclusive jurisdiction of any court sitting in Norway for the purpose of any action that arises out of or relates to this Agreement brought by any party hereto

Both parties agree to comply with applicable export and import laws and regulations. The parties agree that this Agreement is not a contract for the sale of goods; therefore, this Agreement is not to be governed by the United National Convention on Agreements for the International Sale of Goods or any codification thereof.

March 2020

*****

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of Questback’s provision to Customer of access to Software and related services (jointly referred to as the “Services”), as further specified in the applicable agreement between Customer and Questback, and all documents and exhibits incorporated therein (jointly referred to as the “Agreement”). Questback will carry out processing of Personal Data on behalf of the Customer in accordance with the terms of this DPA, its exhibits, the Agreement and applicable Data Protection Legislation.

The parties agree that Questback is the Processor of Personal Data under this DPA, and Customer is the Controller as defined in GDPR Article 4. In case Customer is entitled pursuant to the Agreement to use the Services for the benefit of any third party, Customer may be the Processor, while Questback may be the Sub-processor.

1. Definitions

In this DPA, all capitalized terms shall have the meanings set out in, and will be interpreted in accordance with this DPA, the GDPR and applicable Data Protection Legislation.

Agreement means the separate agreement(s) between Questback and the Customer where the content and scope of the Services provided by Questback to Customer is agreed.

Data Protection Legislation means the laws, statutes, enactments, regulations, directives, standards and other similar instruments from time to time that apply in relation to the Processing of Personal Data.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

Respondent means an individual who provides data by entering data into surveys made available to them by Customer.

Software means the standard online software to which Customer is granted access in the Agreement.

Sub-processor means any third party subcontractor, including Questback Affiliates, engaged by Questback which processes Personal Data on Questback’s behalf.

Questback Affiliates mean members of the Questback Group that may assist in the performance of the Agreement.

Questback Group means, for the purpose of this DPA, Questback Holding AS, Questback AS, and any wholly or fully owned subsidiaries of Questback AS.

2. Customer Obligations

2.1 Customer remains at any times responsible for compliance with its obligations as Controller or Processor under this DPA and applicable Data Protection Legislation.

2.2 In particular, Customer will:

2.2.1 Ensure that the information in Appendix A (“Description of Data and Processing”) is correct, complete, and updated if necessary (e.g. new survey projects).

2.2.2. Provide all information and notifications to Data Subjects that are required under Data Protection Legislation in due time.

2.2.3 Ensure that it has and always maintains a lawful basis in accordance with applicable Data Protection Legislation for processing of all Personal Data it performs using the Services (including obtaining valid informed consents from Data Subjects).

2.2.4 Inform Questback without undue delay in the event i) the legal basis for Customer’s data processing in accordance with applicable Data Protection Legislation ceases to exist (e.g. withdrawal of consent by Data Subject), and ii) Customer obtains information that create suspicion of unauthorized access to or handling of Personal Data. Customer shall provide all relevant information. Section 9 of this DPA applies accordingly.

3. Questback Obligations

Questback shall at all times fulfil its responsibilities as Processor under applicable Data Protection Legislation, in particular, Questback will:

3.1 Process the Personal Data only on documented written instructions from the Customer. Unless otherwise specified, Questback will perform the initial instructions set forth in the Agreement. Questback will immediately inform Customer if, in its opinion, any instruction infringes applicable Data Protection Legislation, and suspend further processing until Customer confirms the legality of processing the data in writing.

3.2 ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. take into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in GDPR Chapter III.

3.4 assist the Customer in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of processing and the information available to the Processor.

3.5 make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for audits by the Customer.

3.6 assist the Customer in ensuring compliance with applicable law, including assisting the Customer with complying with duty of notification to Supervisory Authorities and Data Subjects in case of a Personal Data Breach.

Assistance as set out above, shall be carried out to the extent necessary, taking into account the Customer’s need, the nature of the processing and the information available to the Processor.

4. Technical and Organizational Measures, IT Security

4.1 When processing Personal Data on behalf of Customer in connection with fulfilment of the Agreement, Questback shall ensure that it implements and maintains appropriate technical and organizational security measures for the processing of such data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.2 Appropriate technical and organizational measures to ensure a level of security appropriate to the risk may include the pseudonymization and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

4.3 In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

4.4 Questback shall take steps to ensure that any natural person acting under Questback’s authority who has access to Personal Data does not process them except on instructions from the Customer, unless he or she is required to do so by applicable Data Protection Legislation.

Questback is entitled to change, adjust, modify, update or replace any of its technical and organizational measure, provided however that the level of data protection and security may not be compromised.

5. Administration of Personal Data

5.1 Questback will at all times grant Customer, as agreed in the Agreement, electronic access to the online Software platform that holds Customer’s Personal Data, allowing Customer to delete, release, correct, export, save or block access to specific Personal Data, as Customer requires.

5.2 Customer may, to the extent permitted by applicable law, provide detailed written instructions to Questback to delete, release, correct, export, save or block access to Respondent Personal Data. If Customer requires Questback to perform such deletion, release, correction, export, saving or blocking of access to data that Customer could itself have performed, Customer agrees to pay Questback’s then-current fees associated with such performance.

6. Data Transfer to countries outside EEA

6.1 Questback will not transfer Personal Data outside the EEA, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for Personal Data, or (ii) not covered by a suitable safeguard recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including but not limited to Binding Corporate Rules, Binding Corporate Rules for Processors and EU Standard Model Clauses. To ensure an adequate protection of Customer ‘s Personal Data, Customer acknowledges that Questback may enter into EU Standard Model Clauses with its Sub-processor on behalf of Customer and facilitate all instructions.

6.2 If Customer, or a party on Customer’s behalf, will access Personal Data stored in Questback’s storage area in the EEA, or transfer Personal Data stored in Questback’s storage area in the EEA from, the EEA storage area, it is Customers responsibility to ensure that either the transfer of data takes place based on a adequacy decision by the European Commission as defined in GDPR Article 45, or appropriate safeguards defined in GDPR Article 46 are in place for such access or transfer.

7. Sub-processors

7.1 Customer agrees that Questback may use Sub-processors to provide its Services and fulfil its contractual obligations under the Agreement and this DPA.

7.2 Questback’s website provides a full list of its Sub-processor that are currently engaged by Questback to carry out processing activities on behalf of Customer. The list is available here and will be continuously updated. Customer consents to Questback’s use of Sub-processors as described in this Section.

7.3 Questback will i) restrict the Sub-processor’s access to Personal Data only to what is necessary to maintain the Services or to provide the Services to Customer; ii) enter into a written agreement with the Sub-processor and will impose on the Sub-processor similar contractual obligations that Questback has under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing of Personal Data meets the requirements of the Data Protection Legislation; and (iii) Questback will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors that cause Questback to breach any of Questback’s obligations under this DPA.

7.4 If Questback plans to engage any new Sub-processor, Questback will notify Customer before engaging the new Sub-processor. The notification may be sent to the email address given at the top of this DPA.

7.5 Customer is entitled to object to the intended engagement within 30 days upon the receipt of a written notification. If Customer does not object to the intended engagement, the change of Sub-processor is deemed as accepted.

In case Customer objects to the engagement, Questback will work with Customer in good faith to find a mutually acceptable resolution to address such objection, e.g. by providing additional documentation to support Questback’s compliance with Data Protection Legislation, or by delivering the Services without engaging the new Sub-processor.

If the Parties do not reach a mutually acceptable solution within a reasonable time, (1) Questback is entitled to terminate this DPA and the Agreement with 30 days’ notice if the provision of the Services with the original Sub-processor is impossible or commercially unreasonable; (2) Customer is entitled to terminate this DPA and the Agreement with 30 days’ notice if there are objective and proven grounds related to the ability of such Sub-processor to adequately process Personal Data in accordance with this DPA or applicable Data Protection Legislation.

8. Audit

8.1 Customer may audit Questback’s compliance with the terms of the Agreement and this DPA up to once per calendar year, or to the extent required by applicable law. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Questback, except if such third party is a Supervisory Authority. Questback will not unreasonably withhold its consent to a third party auditor requested by Customer. Any person conducting the audit on behalf of Customer, either its employees or a third party, must execute a written confidentiality agreement acceptable to Questback before conducting the audit, or otherwise be bound by a statutory or legal confidentiality obligation towards Questback.

8.2 To request an audit, Customer must submit a written notification at least two weeks in advance of the proposed audit date to Questback describing the proposed scope, duration, and start date of the audit.

8.3 The audit must be conducted during regular business hours at the applicable Questback facility, subject to Questback policies, and may not unreasonably interfere with Questback business activities. Questback will make reasonable efforts to provide requested information required for such an audit to Customer or external auditor authorized according to this DPA.

8.4 Customer will provide Questback with any audit reports generated in connection with any audit under this section without extra charge, unless prohibited by law. Customer may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of the Agreement and this DPA. The audit reports are confidential information of the parties under the terms of the Agreement.

8.5 If the requested audit scope is addressed in a recognized and valid certification issued by a qualified third party auditor within the last twelve (12) months and Questback provides such certificate to Customer confirming there are no material changes in the controls audited, Customer agrees to accept the findings as sufficient demonstration of Questback complying with the audit report and this DPA in lieu of requesting an audit of the same controls covered by the report. The provision of any certificate or audit report may subject to a non-disclosure agreement between Customer and Questback.

8.6 Questback may demonstrate its Sub-processors’ compliance with their obligations according to Data Protection Legislation by providing adequate certificates (such as ISO or SOC) or audit reports from independent third party auditors that are not older than twelve (12) months. The provision of any certificate or audit report is subject to a non-disclosure agreement between Customer and Sub-processor. Customer agrees to accept the findings as sufficient demonstration of Sub-processor complying with applicable Data Protection Legislation.

8.7 Each party shall bear its own costs of conducting any audit. A mutual reimbursement of costs is excluded.

9. Incident Management and Breach Notification

9.1 Questback evaluates and responds to incidents that create suspicion of unauthorized access to or handling of Personal Data. Questback will work with Customer, within internal Questback lines of business, with the appropriate technical teams and, where necessary, with outside law enforcement to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of the Software environment, and to establish root causes and remediation steps.

9.2 Questback shall without delay, and no later than within 60 hours, upon becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by Questback, notify the Customer. Where the information is available for Questback, the notification shall at least:

  • describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point at the Processor where more information can be obtained;
  • describe the likely consequences of the Personal Data Breach;
  • describe the measures taken or proposed to be taken by the Customer to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 To the extent required under the GDPR, and upon Customer’s request, Questback will assist Customer in its obligation to notify the Supervisory Authority of a Personal Data Breach.

10. Requests from Data Subject

10.1 Considering the nature of the Processing, Questback shall implement appropriate technical and organisational measures to support the Customer’s obligation to respond to requests regarding exercising the rights of the Data Subject. Questback shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Questback shall not respond to any such Data Subject request without Customer’s prior written consent, except to confirm that the request relates to Customer. Questback will forward any request from Data Subjects to Customer.

10.2 To the extent Customer, in its use or receipt of the Services, does not have the possibility to correct, amend, block or delete Personal Data, as required by Data Protection Legislation, Questback shall comply with any reasonable request by Customer to facilitate such actions to the extent Questback is legally permitted to do so.

10.3 Customer hereby instructs Questback to allow, to the extent technically possible, for Customer’s access to, and option to edit, the Personal Data from individual Respondents.

10.4 The responsibility for ensuring that Processing is compliant with applicable Data Protection Legislation when Customer accesses and edits Personal Data from individual Respondents remains solely with Customer.

10.5 Questback shall provide Customer with reasonable cooperation and assistance in relation to handling any Data Subject’s request to exercise its statutory rights, to the extent legally permitted and to the extent that Customer has no means of satisfying those rights by using the Software or Services itself.

10.6 Questback may not disclose or provide access to the Data Subject’s Personal Data to third parties. Should a request for such disclosure or access be directed to Questback, Questback shall forward this request to Customer.

11. Personnel

Questback shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have a legitimate need to access Personal Data to meet Questback’s obligations under the Agreement and this DPA, have received appropriate training on their responsibilities, and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ engagement with Questback.

12. Data Protection Officer

Please read more here.

13. Deletion of Personal Data

Questback’s Services provide Customer with controls that Customer may use to retrieve, rectify or delete Personal Data as described in the documentation. Following termination of the Agreement, Questback will delete all Personal Data within its due course of business and in accordance with Questback’s then-current deletion routines, but no later than 60 days, except as may be required by law. Customer is responsible for exporting its Personal Data prior to the termination of its Agreement.

14. Questback’s legitimate business interest

Questback may process Personal Data for its legitimate business interest which consists of: i) billing and account management, compensation (e.g. employee commission, partner incentives) and internal reporting and modelling (e.g. forecasting, revenue, capacity planning, product strategy); ii) prevention and detection of fraud, cybercrime, cyberattacks and other security related incidents that affect Questback’s products and services and Customer’s data; iii) research, development and product management, i.e. statistical analysis of utilization and performance for testing, quality assurance, benchmarking, tutored services, bot programming, AI development, machine learning etc. to enhance the overall user experience of Questback’s products and service. To the extent possible, Questback will only use de-identified, aggregated data to facilitate its legitimate business purposes described herein.

15. Choice of law and legal venue

15.1 This DPA and any dispute or claim arising out of or in connection with it or its subject matter shall be governed by and construed in accordance with the laws defined in the Agreement. The courts defined in the Agreement shall have exclusive jurisdiction over any dispute or claim arising out of or in connection with this DPA or its subject matter.

15.2 If the choice of law under the Agreement is the laws of a country outside the EEA, the laws of Norway will govern this DPA, and any disputes that arise out of or are related to this DPA. The parties then submit to the exclusive jurisdiction of any court sitting Norway for the purpose of any action that arises out of or relates to this DPA brought by any party hereto.

APPENDIX A – DESCRIPTION OF DATA AND PROCESSING

In order to comply with the requirements of Data Protection Legislation, the parties must document certain details related to the Personal Data that will be processed.

Subject-matter of the processing

The subject-matter of the processing is Questback’s provision of access to its Software to Customer, in order to make Customer able to collect, process, store and analyze feedback in Questback’s Software in accordance with the Agreement. If applicable in the Agreement, the subject-matter includes provision of Support, Advisory Services and Professional Services related to Customer’s access to and use of the Software.

Duration of the processing

The duration of the processing is defined by the Customer when using the Software on a case-by-case basis. Personal Data will be stored for as long as required i) to fulfill all obligations deriving from the execution of the Agreement, this DPA or, if applicable, any additional agreements between Customer and Questback, or ii) by applicable Data Protection Legislation. Personal Data will be deleted by Questback in accordance with its then-current deletion routine, but no later than 60 days upon the expiration of the Agreement, except as may be required by Data Protection Legislation.

Nature of the processing

The Personal Data stored by Customer in the platform provided by Questback under the Agreement will be processed by Questback for project management, consultancy services, survey creation, respondent management, data collection, assessment, evaluation, extraction, reporting and processing of experience data, support inquiries, and maintenance.

Purpose for the processing

Questback shall process Personal Data solely for the purpose of fulfilling of the Agreement with Customer, and shall not otherwise process and use Personal Data for purposes other than those set forth in this DPA, the Agreement, or as instructed in writing by Customer.

Customer is processing Personal Data in the Software for any of its employee or customer experience project, market research, academic research or for any other legitimate purpose determined by Customer individually on a case-by-case basis, or in the Agreement.

The categories of Data Subjects

As the controller, Customer will specify and update the categories of Data Subjects, as Customer sees fit and inform Questback in writing. If Customer has not specified any categories of Data Subjects, the following Categories will be processed:

Customer’s employees, contractors and/or other individuals who are authorized by Customer to access and use Software, provided to Customer under the Agreement, on Customer’s behalf (“User”).

Customer’s employees, contractors, clients, customers, panelists and/or other individuals who are invited by Customer and Customer Users to respond to surveys and provide experience data (“Respondents”).

The types of Personal Data

As the controller, Customer will specify and update the types of Personal Data, as Customer sees fit and inform Questback in writing. If Customer has not specified any types of Personal Data, the following types will be processed:

Personal Data from Users may include: Name, e-mail address, telephone number, role, area of interest, address, IP address.

Personal Data from Respondents: Any Personal Data relating to Respondents as requested by Customer, such as name, e-mail address, address, telephone number, role, age, date of birth, sex, marital status, number of children, area of interest, employment details, business address, employer, position, IP address, as well as any other Personal Data provided by Respondent e.g. through open text fields.

As the Controller, Customer may choose to collect and process Special Categories of Data, as described in GDPR Article 9, 10. Customer will list such additional or specified categories herein or inform Questback separately in writing.

September 2020

*****

Finland

International

Benelux

Norway

Sweden

Germany