Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalised terms not defined herein shall have the meanings ascribed to them in the Agreement or in Regulation (EU) 2016/679 (the “GDPR”).

1. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer is the Controller with respect to Research Data.
2. “Processor” means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. Under this DPA, Heurista is the Processor with respect to Research Data.
3. “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
4. “Personal Data” means any information relating to a Data Subject, as defined in Article 4(1) of the GDPR.
5. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
6. “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
7. “Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.
8. “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.
9. “Research Data” means all Personal Data processed by the Processor on behalf of the Controller through the Platform, including survey responses, respondent identifiers, uploaded documents, and qualitative analysis outputs.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA governs the processing of Personal Data by the Processor in connection with the provision of the Heurista AI-augmented research analysis platform (the “Platform”) to the Controller pursuant to the Agreement.

2.2 Duration

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.

2.3 Nature and Purpose of Processing

The Processor processes Personal Data to enable the Controller to conduct research analysis using the Platform’s features. The nature of processing includes:

• Collection and storage of survey responses and research data
• AI-assisted analysis of qualitative and quantitative research data
• Organisation and structuring of qualitative codes, themes, and segments
• Generation of research findings, reports, and exports
• Text-to-speech synthesis for accessibility and multilingual support
• Deletion and erasure of data upon Controller instruction or termination

2.4 Types of Personal Data

The following categories of Personal Data may be processed:

2.5 Categories of Data Subjects

Data Subjects may include: survey respondents, research participants, interviewees, focus group participants, and any other individuals whose Personal Data is submitted to the Platform by the Controller.

3. Processor Obligations

In accordance with Article 28 of the GDPR, the Processor shall:

3.1 Processing on Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

The Controller’s configuration of surveys, selection of analysis parameters, and use of Platform features constitutes documented instructions for the processing of Research Data. Additional or special instructions must be provided in writing to legal@heurista.com.

3.2 Confidentiality

Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require such access for the performance of their duties under the Agreement.

3.3 Security Measures (Article 32)

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures include, without limitation:

• Encryption in transit: All data transmitted between clients and the Platform is encrypted using TLS (Transport Layer Security).
• Encryption at rest: All data stored in the database is encrypted at rest using AES-256. Database backups are also encrypted.
• Password security: User passwords are hashed using the scrypt key derivation function; plaintext passwords are never stored.
• IP address hashing: IP addresses are hashed using SHA-256 before storage to minimise re-identification risk.
• API token encryption: Integration tokens and third-party API credentials are encrypted at rest.
• Session security: httpOnly session cookies are used to prevent cross-site scripting (XSS) access to session tokens.
• Rate limiting and CSRF protection: Rate limiting is applied to authentication endpoints and API routes; cross-site request forgery protections are enforced on state-changing operations.
• Access controls: Role-based permissions restrict access to data and administrative functions based on the principle of least privilege.
• Security reviews: Regular security reviews and vulnerability assessments are conducted.

The Processor implements and maintains appropriate technical and organizational security measures, including encryption in transit, access controls, and regular security assessments. Security measures are reviewed and updated periodically to address evolving threats.

Customer Research Data is logically segregated at the application and database level. Each AI processing request contains data from a single customer only. No customer’s Research Data is accessible to, visible to, or included in processing requests for any other customer.

3.4 Sub-processors

The Controller provides general written authorisation for the Processor to engage Sub-processors in accordance with Section 4 of this DPA. The Processor shall:

1. Maintain and make available a current list of Sub-processors (see Section 4);
2. Notify the Controller at least thirty (30) days before adding or replacing any Sub-processor;
3. Impose the same data protection obligations as set out in this DPA on each Sub-processor by way of a written contract;
4. Remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

The Controller may object to a new or replacement Sub-processor within fourteen (14) days of receiving notice. Where the Controller raises a reasonable objection, the parties shall negotiate in good faith to resolve the matter. If no resolution is reached within thirty (30) days, the Controller may terminate the affected services without penalty.

3.5 Data Subject Rights Assistance

Assist the Controller, by appropriate technical and organisational measures insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

3.6 Assistance with Compliance Obligations

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32–36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

• Security of processing (Article 32)
• Notification of personal data breaches (Articles 33–34)
• Data protection impact assessments (Article 35)
• Prior consultation with supervisory authorities (Article 36)

Upon request, the Processor will provide information about its technical and organisational measures for inclusion in the Controller’s Data Protection Impact Assessment.

3.7 Data Return and Deletion

At the Controller’s choice, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. The Processor shall provide a thirty (30) day data export window following termination of the Agreement, during which the Controller may export all Personal Data. Upon expiry of this window, the Processor shall delete all Personal Data within a reasonable period and shall certify such deletion in writing upon request.

3.8 Audit and Demonstration of Compliance

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the terms set out in Section 8.

3.9 Notification of Infringing Instructions

Immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions. The Processor shall not be required to comply with any instruction that it reasonably believes to be unlawful.

4. Authorised Sub-processors

The following Sub-processors are authorised by the Controller as of the effective date of this DPA:

4.1 Notification of Changes

The Processor shall provide the Controller with at least thirty (30) days’ prior written notice before adding or replacing any Sub-processor. Such notice shall identify the new or replacement Sub-processor, describe the processing to be performed, and specify the location of processing.

4.2 Objection Mechanism

The Controller may object to the appointment of a new or replacement Sub-processor by providing written notice to the Processor within fourteen (14) days of receiving notification. Where a reasonable objection is raised, the parties shall negotiate in good faith to reach a mutually acceptable resolution. If no resolution is reached within thirty (30) days, the Controller may terminate the services that cannot be provided without the use of the objected-to Sub-processor, without penalty and with a pro rata refund of any prepaid fees.

5. International Data Transfers

5.1 Location of Processing

Personal Data is processed and stored on servers located in the United States of America. The Controller acknowledges and agrees that, to the extent Personal Data originates from the European Economic Area (“EEA”), the United Kingdom, or Switzerland, appropriate safeguards are required for such transfers.

5.2 Transfer Mechanism

To the extent that the processing of Personal Data involves a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a jurisdiction that has not been recognised as providing an adequate level of data protection, the parties agree that the Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 are hereby incorporated by reference into this DPA and shall apply to such transfers. For the purposes of the SCCs:

• Module Two (Controller to Processor) shall apply;
• The Controller is the data exporter and the Processor is the data importer;
• The optional docking clause (Clause 7) is included to permit additional parties to accede to the SCCs;
• Under Clause 9, Option 2 (general written authorisation) applies, with a notice period of thirty (30) days;
• The governing law under Clause 17 and the forum for disputes under Clause 18 shall be the law and courts of the EU Member State in which the Controller is established, or, if the Controller is not established in the EU, the Republic of Ireland.

5.3 Sub-processor Transfers

Anthropic, Inc.’s data processing agreement includes Standard Contractual Clauses for EU-to-US transfers. The Processor ensures that all Sub-processors engaged in the processing of Personal Data transferred from the EEA, the United Kingdom, or Switzerland are bound by appropriate transfer mechanisms.

5.4 Transfer Impact Assessment

A Transfer Impact Assessment evaluating the laws and practices of the destination country is available upon request. The Processor shall cooperate with the Controller in conducting or updating such assessments as may be required.

6. Data Subject Rights

6.1 Notification

The Processor shall promptly, and in any event within five (5) business days, notify the Controller if it receives a request from a Data Subject to exercise any right under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

6.2 Assistance

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests by providing such information and technical capabilities as are reasonably necessary. Such assistance may include enabling the Controller to access, export, rectify, or delete specific Personal Data records through the Platform’s administrative functions.

6.3 Direct Responses

The Processor shall not respond directly to any Data Subject request unless expressly instructed to do so by the Controller or required by applicable law, in which case the Processor shall inform the Controller of such legal requirement to the extent permitted by law.

7. Data Breach Notification

7.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a personal data breach affecting Personal Data processed under this DPA.

7.2 Content of Notification

Such notification shall include, to the extent reasonably ascertainable:

1. A description of the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
2. The name and contact details of a point of contact from whom further information may be obtained;
3. A description of the likely consequences of the personal data breach;
4. A description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.3 Cooperation

The Processor shall cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of any personal data breach. The Processor shall provide supplementary information as it becomes available.

7.4 Article 34 Assistance

Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Processor will provide the Controller with all information necessary to notify affected data subjects within twenty-four (24) hours of the Processor’s initial notification, including the categories of data affected, the approximate number of data subjects concerned, and recommended mitigation measures.

8. Audit Rights

8.1 Right to Audit

The Controller, or an independent third-party auditor appointed by the Controller, may audit the Processor’s compliance with the obligations set out in this DPA, subject to the conditions below.

8.2 Notice and Scope

The Controller shall provide at least thirty (30) days’ prior written notice of any audit request. Audits shall be conducted during normal business hours, shall not unreasonably interfere with the Processor’s operations, and shall be limited to the processing activities governed by this DPA.

8.3 Frequency

Audits are limited to one (1) per twelve-month period, unless an additional audit is reasonably required due to a personal data breach, a regulatory investigation, or a Supervisory Authority request.

8.4 Processor Cooperation

The Processor shall provide the Controller or its appointed auditor with such information, access to facilities, and access to personnel as are reasonably necessary to conduct the audit. The Processor may require auditors to execute reasonable confidentiality undertakings before access is granted.

8.5 Cost Allocation

The Processor may charge a reasonable fee, communicated in advance, for audit-related costs exceeding one audit per year and for assistance with data subject requests beyond what the Platform’s self-service export and deletion tools provide.

9. Term and Termination

9.1 Effective Date and Duration

This DPA shall become effective upon the date the Controller accepts the Agreement and shall remain in effect for the duration of the Agreement.

9.2 Effect of Termination

Upon termination or expiry of the Agreement:

1. The Processor shall provide the Controller with a thirty (30) day window to export all Personal Data from the Platform;
2. Following expiry of the export window, the Processor shall delete all Personal Data in its possession and in the possession of its Sub-processors, unless retention is required by applicable law;
3. Upon written request, the Processor shall certify in writing that all Personal Data has been deleted.

9.3 Survival

The provisions of this DPA that by their nature should survive termination, including without limitation confidentiality obligations, liability provisions, and audit rights with respect to processing that occurred during the term, shall survive termination of the Agreement and this DPA.

10. Liability

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party’s liability to Data Subjects or Supervisory Authorities under the GDPR.

11. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except to the extent that the GDPR or another applicable data protection law requires the application of the law of a specific jurisdiction, in which case the relevant provisions shall be governed by the law of that jurisdiction.

12. Heurista as Data Controller

Notwithstanding the foregoing, the parties acknowledge that Heurista acts as an independent Data Controller with respect to account registration data, billing information, usage analytics, and other data collected for the purpose of providing, maintaining, and improving the Platform. Heurista’s processing of such data is governed by the Heurista Privacy Policy and is not subject to the terms of this DPA.