Data Processing Agreement

Last Updated on 07/08/2025

See also our Terms of Service and Privacy Policy.

This Data Processing Agreement is an integral part of Moderator1’s Terms of Service.

1. Definitions

1.1 In this Agreement:

"Agreement"means this data processing agreement including any Schedules, and any amendments to this Agreement agreed in writing between the Parties from time to time;

“Controller”,“Data Subject”,“Personal Data”,“Process”and“Processor”shall have the meanings given to them in the GDPR;

“Customer” means any company or individual who signs up for the serivce, free or paid, at moderator1.com

"Data Protection Laws"means all applicable laws relating to the processing of Personal Data including any national, federal, state, provincial, and local laws and regulations governing the use and disclosure of personal information, including the California Consumer Privacy Act 2018, the UK GDPR, the Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR);

“Terms of Service”or"ToS"means the legally binding agreement governing the use of the Services entered into between the parties on or about the date of this Agreement;

“Standard Contractual Clauses”or“SCC”means the standard contractual clauses for international transfers annexed to the European Commission's Implementing Decision decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable; and

"Schedule"means any schedule attached to the main body of this Agreement.

2. Supplemental

2.1 This Agreement is part of Moderator1’s Terms of Service (ToS)

2.2 Any capitalized terms that are:

  1. used in this Agreement;
  2. defined in the ToS; and
  3. not defined in this Agreement,

shall in this Agreement have the meanings given to them in the ToS.

2.3 If there is a conflict between this Agreement and the ToS, then the ToS shall take precedence.

3. Term

3.1 This Agreement shall come into force upon the Commencement Date and shall continue until all rocessing of Personal Data under the ToS has completed.

4. Status

4.1 The Parties acknowledge and agree that for the purposes of the Data Protection Laws the Customer is the Controller and Moderator1 is the Processor in respect of all Personal Data Processed by Moderator1 in connection with the Services.

5. Data protection

5.1 Both Parties shall comply with the Data Protection Laws with respect to the Processing of Personal Data.

5.2 The Customer shall provide the Data Subjects with all necessary information and shall obtain all necessary consents to ensure that Moderator1 can lawfully Process their Personal Data for the purposes of performing the Services.

5.3 The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of Data Subjects are set out in Schedule 1 to this Agreement.

5.4 Moderator1 shall only Process the Personal Data for the purposes of the Services and on the documented instructions of the Customer.

5.5 Moderator1 shall promptly inform the Customer if, in the opinion of Moderator1, an instruction of the Customer relating to the Processing of the Personal Data infringes the Data Protection Laws.

5.6 Notwithstanding any other provision of this Agreement, Moderator1 may process the Personal Data if and to the extent that Moderator1 is required to do so by law. In such a case, Moderator1 shall inform the Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

5.7 Moderator1 shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality obligations no less stringent than set forth in the Agreement or are under an appropriate statutory obligation of confidentiality no less stringent as set forth in the Agreement.

5.8 Moderator1 must at all times implement industry standard technical and organizational measures against unauthorized or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Schedule 1 and the following (as appropriate):

(a) the pseudonymisation and encryption of PersonalData;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience ofprocessingsystems and services;

(c) the ability to restore the availability and access to PersonalDatain a timely manner in the event of a physical or technical incident; and

(d) aprocessfor regularly testing, assessing and evaluating the effectiveness of the security measures.

5.9 Moderator1 must not engage any third party to Process the Personal Data (Sub-Processor) without the prior specific or general written authorisation of the Customer. In the case of a general written authorisation, Moderator1 shall inform the Customer at least 7 days in advance of any intended changes concerning the addition or replacement of any Sub-Processor, and if the Customer (acting reasonably) objects to any such changes before their implementation, then Moderator1 shall take account of the Customer’s objections before proceeding with the change.

5.10 Moderator1 shall enter into a contract with each Sub-Processor on the terms of this Agreement. Where the Sub-Processor fails to fulfil any of its obligations in relation to this Agreement, Moderator1 shall be directly liable to the Customer.

5.11 As at the Commencement Date, Moderator1 is hereby authorised by the Customer to engage, as Sub-Processors with respect to Personal Data, the third parties identified in Paragraph 6 of Schedule 1 (Data processing information).

5.12 Moderator1 shall take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer’s obligation to respond to requests exercising a Data Subject's rights under the Data Protection Laws.

5.13 Moderator1 shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws.

5.14 Moderator1 must notify the Customer of any Personal Data breach affecting the Personal Data without undue delay and, in any case, not later than 48 hours after Moderator1 becomes aware of the breach.

5.15 Moderator1 shall make available to the Customer all information necessary to demonstrate the compliance of Moderator1 with its obligations under this Agreement.

5.16 Moderator1 shall, at the choice of the Customer, delete or return all of the Personal Data to the Customer after the provision of Services relating to the Processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.

5.17 Moderator1 shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of Moderator1’s processing of Personal Data with the Data Protection Laws and this Clause 5.

5.18 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to Processing of Personal Data carried out under this Agreement, then the parties shall use all reasonable endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

1. Categories of data subject

The survey information and subsequent voice interview of the Customer, completed by the respondent

2. Types of Personal Data

Survey questions and responses that may include name and email addresses of respondents, email addresses of employees of the Customer, text and voice responses to survey and voice interview.

3. Subject-Matter, Nature and Purposes of processing

Assessing and evaluating the responses of surveys sent out by customers, to determine the best follow questions to ask in the voice interview.

4. Duration of processing

For the duration of this Contract plus a reasonable period of time afterwards to allow for the return or deletion of the Personal Data.

5. Security measures for Personal Data

  1. Access Control

    1. Preventing Unauthorized Product Access

      Authentication: Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

      Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Moderator1’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the roles associated with each user.

    2. Preventing Unauthorized Product Use

      Moderator1 implements industry standard access controls and detection capabilities for the internal networks that support its products.

      Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

      Static code analysis: Security reviews of code stored in Moderator1’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

    3. Limitations of Privilege & Authorization Requirements

      Product access: A subset of Moderator1’s employees and contractors have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.

      Background checks: All of Moderator1’s employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

  2. Transmission Control

    1. In-transit: Moderator1 makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on Moderator1’s products. Moderator1’s HTTPS implementation uses industry standard algorithms and certificates.
    2. At-rest: Moderator1 has implemented technologies to ensure that stored data is encrypted at rest.
  3. Input Control
    1. Detection: Moderator1 designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Moderator1’s personnel, including security, operations, and support personnel, are responsive to known incidents.
    2. Response and tracking: Moderator1 maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Moderator1 will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
    3. Communication: If Moderator1 becomes aware of unlawful access to Customer data stored within its products, Moderator1 will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Moderator1 is taking to resolve the incident; and 3) provide status updates to the Customer contact, as reasonably requested by Customer. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Moderator1 selects, which may include via email or telephone.

6. Sub-processors of Personal Data

6.1 General Consent:Customer agrees that Moderator1 may engage third-party Sub-processors in connection with the provision of Services, subject to compliance with the requirements in accordance with the terms of this Agreement. As a condition to permitting a Sub-processor to Process Customer Data, Moderator1 will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this Agreement, to the extent applicable to the nature of the Services provided by such Sub-processor. Moderator1 will provide copies of any Sub-processor agreements to Customer pursuant only upon reasonable request by Customer.

6.2 Current Sub-processor List:Customer acknowledges and agrees that Moderator1 may engage its current Sub-processors listed in the chart below.

Service provider Location Service provided Lawful transfer mechanism
AWS US Application hosting and data storage DPA
Sentry US Capture and storing system logs DPA
Amplitude US Capture product usage data Standard Contractual Clauses
Intercom US CRM data DPA
Mailgun (Sinch) US Email notifications to interviewers. Recording of interviews conducted by phone. Standard Contractual Clauses
Google US AI Functionalities DPA + Standard Contractual Clauses
OpenAI US AI Functionalities DPA + Standard Contractual Clauses
Add the depth of an interview to every survey you send out.
Subscribe
For the latest offers and updates.
© 2025 Moderator1 All Rights Reserved
Terms & Conditions
Privacy Policy
Data Processing Agreement
Contact