Security

All you need to know when using Enalyzer from a security, legal and privacy perspective

Introduction

Welcome to Enalyzer’s security and legal section. This section aims to provide you with a comprehensive overview of all you need to know when using Enalyzer, from a legal, security and privacy perspective.
The information targets users of our survey web apps*, their respondents, our website visitors, and customers we are assisting with consultant projects or other survey services. Please explore the following sections for more in-depth information:

GDPR
Security
Policies
Terms of use
Data processing agreement

If you have any questions in general related hereto, please contact our support team at support@enalyzer.com. If you have any questions specifically related to GDPR and/or the Data Processing Agreement please contact our Data protection officer, Johan Leonhard at privacy@enalyzer.com.

- The Enalyzer Team

GDPR

Introduction

The General Data Protection Regulation (GDPR) harmonizes data privacy laws across the European Union (EU). The GDPR takes effect on May 25, 2018, and lays down rules of fundamental rights of processing and protection of personal data. Below we provide an overview of the requirements under GDPR, and how Enalyzer complies with these.

All Enalyzer account holders, whether located in the EU or outside the EU, have to comply with the rules of the GDPR, when collecting and/or processing personal data. The GDPR applies to Enalyzer account holders which have EU “establishments”, irrespective of whether the actual data processing takes place in the EU or not. Enalyzer account holders which are Non-EU established will be subject to the GDPR where they process personal data about data subjects who are in the EU in connection with (i) the “offering of goods or services” (payment is not required), or (ii) “monitoring” their behavior within the EU.

In relation to GDPR and surveying, the definitions of roles and their responsibilities play a central role.

Personal data


  • Any information relating to an identified or identifiable natural person (data subject) by an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing


  • Any operation performed on personal data, including but not limited to collection, organization, structuring, storage, alteration, use, disclosure by transmission etc.

The data subject


  • A person whose personal data is processed by a controller or processor. In this case, the data subject is the respondent.

  • The data controller


    • Determines the purpose for and how the personal data is processed. In this case, the data controller is the Enalyzer account holder who carries out the surveying and reporting.

    The data processor


    • Processes data on behalf of the Data controller according to its instructions. In this case, the data processor is Enalyzer, who processes data on behalf of and according to instructions from the Enalyzer account holder (data controller).

    Under the GDPR, Personal Data comprises the following categories of data:

    – Non-sensitive data (cf. GDPR article 6) of any kind including but not limited to contact information such as name, address, phone and/or mobile, gender, age, date of birth, preferences, employment position, family status etc.
    – Sensitive data (cf. GDPR article 9)*
    – Data relating to criminal convictions and offenses (cf. GDPR art. 10).
    – National identification number may be regulated by national law of the Member states.

    *Sensitive data includes: data revealing racial or ethnic origin, political opinions, religious and/or philosophical beliefs, trade union membership, processing of genetic data or bio metric data for the purpose of uniquely identifying a natural person, data concerning health and/or data concerning a natural person's sex life or sexual orientation. Processing of sensitive data requires explicit consent or other particular legal bases.

    Rights of respondents (data subjects)



    The respondent generally has the right to obtain the following information from the Enalyzer account holder (data controller) which must be given upon the Enalyzer account holder’s collection or receipt of the respondent’s personal data:

    – the identity and the contact details of the Enalyzer account holder (data controller)
    – the contact details of the data protection officer, where applicable
    – the purpose of the processing and the legal basis for the processing
    – the categories of personal data concerned. If there is an intent to transfer personal data to a third country outside EU
    – the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
    – the recipients to whom the personal data have been or will be disclosed
    – the right to rectification (update or correct) inaccurate personal data concerning him/her
    – the right to erase personal data concerning him/her without undue delay
    – the right to restrict the processing of personal data
    – the right to object to the processing of personal data
    – the right to receive a copy of the personal data concerning him/her
    – the right to data portability, in order to transfer the personal data
    – the right to complain to a supervisory authority

    For the full law text and obligations of the Enalyzer account holder as data controller, please visit https://gdpr-info.eu/chapter-3/

    As stated above all respondents must contact the Enalyzer account holder, who is the data controller and administrator of the survey, to exercise their rights. As a data processor, Enalyzer is not responsible for this. Enalyzer will, therefore, refer all requests from respondents to the account holder.

    Obligations for the Enalyzer account holder (data controller)


    When personal data is collected or received by the Enalyzer account holder from the respondents the Enalyzer account holder must inform the respondents about their rights as stated above.

    For the full law text and obligations of the Enalyzer account holder as data controller, please visit https://gdpr-info.eu/chapter-3/

    Enalyzer account holders (as data controller), are solely responsible for giving information to the respondents in a clear language, according to the aforementioned. Moreover, the Enalyzer account holders shall handle all requests from their respondents with respect to rectification, erasure/deletion, restriction of processing, etc. of personal data and to provide a copy of responses etc. with personal data upon request from the respondent.

    In relation hereto, Enalyzer is committed to providing and developing features that will improve the Enalyzer account holders’ administration and executing of these rights. If you should be in doubt or need help on how to handle this, please contact our support team.

    Obligations for the Enalyzer account holder (data controller) and Enalyzer (data processor)


    The data controller that is subject to GDPR, must have in place an appropriate Data Processing Agreement (DPA) with Enalyzer as their Data processor, where, among other things, secure organizational and technical measures to process data, are regulated. The DPA also sets out the instructions that the Enalyzer account holder (data controller) gives to Enalyzer regarding the processing of the personal data of the respondents, etc. and establishes the rights and responsibilities of both parties with respect to such processing.

    Using Enalyzer to manage your surveys implies that our DPA is accepted along with our Terms of Use and Privacy Policy, and serves as your entire contract with Enalyzer. All documents are aligned to meet the GDPR demands. With the above in place, Enalyzer’s provision of our services to you will be compliant with the new GDPR regulation taking place on May 25, 2018.

    The same applies to our security, where Enalyzer itself and our hosting supplier, is externally audited based on ISO27001/27002 or similar standards, to document an appropriate security level that meets the GDPR. Please visit our security section, for more information and documentation on our security.

    When Enalyzer account holders provide personal information (such as contact information, cookies, payment info, etc.) in relation to use of Enalyzer’s services and platform or when signing up to become an Enalyzer account holder, Enalyzer changes role and becomes the data controller. The same applies to Enalyzer website visitors and some metadata on respondents. Please visit our Privacy Policy for additional information on what we collect and what we do with it.

Security

At Enalyzer we do our utmost to keep our customers' data safe and our web-based survey systems accessible at any time. Therefore we have engaged with Microsoft Azure, whose cloud infrastructure supports over 1 billion customers across enterprise and consumer services in 140 countries and is backed by Microsoft's $15 billion (USD) investment in global data center infrastructure. Hence as an Enalyzer customer, you get what you should expect from a high-end web app provider. Top system performance, availability, and security, which has the best practice levels within the industry. 

In the following sections, we highlight our security’s main points. Nevertheless, since we are completely transparent, you can dig deeper and learn more about our security measures by following the relevant links for more information.

Enalyzer is also independently audited, based on the ISO27001/2700 standard, in order to secure that we provide an appropriate technical– and organizational set-up.

You can access the yearly ISAE 3402 Type 2 assurance report here

Steen Ødegaard, Enalyzer CTO and Co-founder

Platform security

Data centers

Enalyzer is hosted at two separate EU based data centers in Amsterdam (Netherlands) and Dublin (Ireland). Uptime is guaranteed at 99,9%. These data centers comply with premium industry standards, such as ISO 27001, and undergo continuous external auditing. Each facility is designed to run 24x7x365 and employs various measures to help protect operations from power failures, physical intrusion, and network outages.

Enalyzer also offers a variety of options to distribute e-mails, if needed. Ranging from own servers to third party vendors Mailjet (hosted in EU) and Sendgrid (hosted in the USA). They both have a high security and compliance level. For additional compliance info, please visit Mailjet and Sendgrid.

Location details on sub-processors, can be found in the Data Processing Agreement here

Network Protection

Azure networking provides the infrastructure necessary to securely connect virtual servers to one another and to connect on-site datacenters with Azure servers. Azure blocks unauthorized traffic to and within the datacenters by using a variety of technologies such as firewalls partitioned local area networks, and the physical separation of back-end servers from public-facing interfaces.

Data Protection

Enalyzer encrypts data and safeguards customer data. Enalyzer encrypts data in storage and in transit to align with best practices for protecting confidentiality and data integrity. In order to protect customers against online threats, the platform uses Antimalware for cloud services and virtual machines and uses detection and mitigation techniques to protect against DDoS attacks.

Monitoring and access management

Centralized monitoring and analysis systems provide continuous visibility and timely alerts to the teams that manage the service. There are rigid controls that restrict access to Azure by Microsoft employees.Accordingly, Enalyzer also has strict internal procedures describing whom from Enalyzer can access the Azure platform, and when the Azure platform can be accessed.

Penetration testing

Microsoft undertakes regular penetration testing to improve Azure security controls and processes.

Product security

Login safety

Enalyzer systems are delivered as SaaS systems and can be accessed through any modern web browser.All users have separate usernames and passwords. Multiple failed sign-in attempts to the same account result in a temporary lockout, which is automatically reactivated after 5 minutes. Simultaneously, the account user will be informed by email about the failed sign-in attempts. Multiple failed login attempts from the same IP Address enhance the security process by using Captcha security technology.

Encryption

All sign in and password information to the application is encrypted. Passwords are stored as hash values. All data sessions between the user and Enalyzer, within the application, are encrypted. Data collected from respondents is by default encrypted. Communication to the application from Enalyzer system administrators and developers is encrypted using VPN, and the communication to the Azure servers is only available from the Enalyzer office.

Logging

On the servers, logging is done on all internet traffic. All operations can be identified by a security token, that can be traced back to the individual user. For applications, logging is done on all critical operations. Each log contains information about who did what and when. The log is available to the system's administrative users.

Support

The Enalyzer support team can only access an Enalyzer user account if the user has granted them access. Find more information about security

Privacy protection

Our commitment to the privacy of our customer data is backed by Microsoft’s adoption of the world’s first international code of practice for cloud privacy, ISO/IEC 27018. The British Standards Institute has independently verified that Azure is aligned with the ISO 27018 code of practice for the protection of personally identifiable information in the public cloud. Data is stored in the EU (Netherlands and Ireland) and Microsoft has undertaken contractual privacy commitments that help assure that privacy protections in the Azure platform are strong. Among the many commitments supported are:
  • - EU Model Clauses. EU data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area. Europe’s privacy regulators have determined that the contractual privacy protection Azure delivers meets current EU standards for international transfers of data.
  • - ISO/IEC 27018, which was developed to establish a uniform, international approach to protecting the privacy of personal data, stored in the cloud.
  • - Enalyzer’s own Privacy Policy also describes actions taken towards safeguarding privacy.
Find more information about privacy protection

Compliance

Our platform meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards including Australia CCSL, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits verify Azure’s adherence to the strict security controls these standards mandate. As part of our commitment to transparency, you can verify our implementation of many security controls by requesting audit results from the certifying third parties, or through your Enalyzer account representative. Find more information about compliance



Policies

Enalyzer provides various online data processing services including among others a survey and reporting tool and hosting of data. The services may also include consultancy services, support services and/or education services.

Enalyzer strives to safeguard the privacy of our customers and the data and personal data they entrust with us regarding their survey respondents and other data subjects.

In the following sections, we have broken down Enalyzer’s privacy policy for you to see what we do to protect your privacy. Enalyzer is compliant with the General Data Protection Regulation (GDPR) to the protection of your personal information. Please also read more about how we comply.

Privacy Policy

Enalyzer Customers

You own your survey data. You are the rightful owner of all data that you upload to Enalyzer when using our services, including but not limited to survey data. Consequently, all information on your respondents, used in surveys, and any other information about natural persons (your data subjects) that you process when using our services are also yours. Enalyzer’s Service is a tool for you to use. We do not sell your data to anyone. Your data is only being processed and managed according to your own actions in Enalyzer.

You are data controller. As Enalyzer customer you are the data controller of all personal data that you upload to Enalyzer when using our services. Our customers have complete control and administration rights over their surveys, analyses, reports and other services they create by using our applications, services, and platform. Consequently, as customer you must ensure that you can lawfully process all personal data that you choose to collect, upload and process in connection with your use of Enalyzer services and that you comply with all of your obligations as data controller according to applicable law. Read more about your obligations towards respondents.

Enalyzer is the data processor. Enalyzer provides online applications and services for survey creators etc. We host an online platform but have no influence on the surveys made, their distribution, and analyses that are done or on any other services created by our customers by use of our applications, services, and platform. Consequently, we host and store our customers’ survey and other personal data on behalf of our customers and according to the customers’ instruction only. The terms and conditions applicable to Enalyzer’s processing of your personal data is governed by our Data Processing Agreement. Read more about the terms and conditions.

We safeguard your personal data. Your data is physically stored in the EU, by our hosting partner. They provide secure facilities to protect your data and comply with international regulations. Read more about our security.

Enalyzer's obligations as data controller. In order for you to access and use Enalyzer services, we require some information about you as our customer. In this case, Enalyzer is data controller. You can read more about Enalyzer’s processing of your own customer information and our privacy policy in this respect below.

Survey Respondents and other Data Subjects

Enalyzer provides an online platform for survey creators and other services. We host an online platform but have no influence on the surveys made, their distribution, and analyses that are done or on any other services created by use of our applications, services and online platform. Enalyzer’s customers have complete control and administration rights over their surveys and other services. Therefore, if you, as a survey respondent or data subject in respect of any processing by our customers of your personal data, have any questions related to your survey or other service, please contact the person or organization that invited you to participate in the survey or service.

Are anonymous responses anonymous? Enalyzer provides customers with different options to collect information about their respondents/data subjects. Typically, the degree of anonymity in a survey or other service is communicated to respondents/data subjects in the invitation to the survey or other service, or in the survey or other service itself. Contact the person or organization that invited you to participate in their survey or other service for specific information about the survey or service.

Does Enalyzer sell respondent data to third parties? No. Never! We solely provide the survey platform to our customers.

Additional privacy Information for Enalyzer customers

In order for you as customers and users to access and use Enalyzer services and website we require some information about you. In respect of the collection and procession of such personal information Enalyzer acts data controller.

What information do we collect and what we do with it?

Purpose of Processing. In general, we use the information given from you directly or collected indirectly from third parties, when you use our online applications or services or visit our website for various purposes such as, giving you access to our applications or services, letting customer support handle your request, analyzing usage to improve the applications and services, sending you emails about new features and to prevent illegal activities. More specifically, we gather the following information for the following purposes of processing:

Registration information. We collect information in order for you to use our applications and services. When you sign up for an Enalyzer account, we register your username, password, and email and where necessary we also register your name, company name and address. You may also request support through our ticketing system via your email.

Billing. We require credit card information in order for you to pay for the services you acquire from Enalyzer. Enalyzer does not store your credit card details and data but have partnered up with an international well-reputed service provider, Braintree (PayPal) that facilitates and handles payment and security about your privacy, regarding your online payments.

Other Data. To improve our services to our users and develop new services, we collect, as almost any other service on the Internet, usage data like web pages visited, what you click on, cookies (read more below), device used, browser, and so forth. That goes for any navigation on our web page and our web applications. We monitor all the IP addresses for all incoming requests as part of our normal website traffic logging, however, in relation to respondent replies (anonymous and not anonymous), we do not keep any linkage between the replies and the IP address. We use third-party tracking services to provide us with these data.

Marketing purposes. We will only contact you if have consented to it. If you have provided us with your email address in connection with the usage of our services we can also use your email to market our similar services. You can always regret and opt out from our communication to you. As stated above we do not sell or share your information, unless we are forced to meet legal requirements like court orders or valid subpoenas.

What is the legal basis for the processing of your information?

The legal basis for processing of your data includes the following:

For the performance of contract, cf. art. 6(1) point (b) of the GDPR. When you sign up for and/or access Enalyzer services you accept and agree to the service agreement between you and Enalyzer including these Privacy Policy terms. Our processing of your data is necessary for Enalyzer’s performance of the agreement between you and us.

Legitimate interests pursued by Enalyzer, cf. art. 6(1) point (f) of the GDPR. Enalyzer may process your data if it is necessary to pursue our legitimate interests provided that such interests are not overridden by your fundamental rights and free-doms which require protection of your personal data. This may include processing of your data in order to improve our services including statistics and analysis of user behavior on our website.

Your consent, cf. art. 6(1) point (a) of the GDPR. We may require your consent to contact you for marketing purposes, to deliver news letters or for other purposes. You can always regret and withdraw your consent. Please note that your withdrawal of your consent will not affect the lawfulness of our processing of your personal data before your withdrawal. If you want to withdraw your consent, click here to find the relevant contact details. However, if you withdraw your consent, we may have the right to process your data according to another legal basis as stated above. In such case we will inform you about the relevant legal basis.

Transfer of your data to third parties. We do not transfer your personal data to any third parties unless and only to the ex-tent this is necessary for the purpose of our processing as set out above. This is the case for billing and handling of online payments for our services where we transfer credit card details to our service provider.

How do we safeguard your information and how long do we store it? We use a hosting partner to store and host all our data within EU. All personal data are protected by appropriate technical and organizational measures set up by our hosting partner. We use data encrypting and have rigid internal procedures to handle security of personal data. Read more about Enalyzer’s security.

Your rights as data subject. You will always be able to exert your rights as data subject. These include your right of access to your data and the right to rectification of inaccurate personal data concerning you, the right to obtain erasure of your personal data and to oppose to the processing of your personal data. You can always contact Enalyzer in regard to your exercise of these matters. Click here to find the relevant contact details.
As we are obligated to ensure that your personal data is correct and updated and since our processing also depends on this, we kindly ask you to update your profile with us with relevant changes.

Effective date and modifications. Thank you for taking your time to learn about Enalyzer’s privacy policy and thank you for trusting us with your data. This privacy policy is effective by May 25, 2018. If there are any changes, we will post them on our website and our users will be properly informed.

Contact information and Data Protection Officer. If you have any questions related to this policy, please contact us at:

Enalyzer A/S
Privacy team
Refshalevej 147
1432 Copenhagen
Denmark
privacy@enalyzer.com

Enalyzer has appointed a Data Protection Officer (DPO). Click here to find the contact details of our DPO.

Complaints. If you wish to complain about Enalyzer’s processing of your data you can always contact Enalyzer. You also have the right to lodge a complaint with the Supervisory Authority. You can find more information about your right to complain at www.datatilsynet.dk.

Minors. Enalyzer services are not meant for and must not be used by minors. “Minors” are persons under the age of 13 (or under such higher age that apply under applicable law in the relevant country to consider a person of legal age). Enalyzer does not deliberately collect personal data from minors or allow them to register and sign up for our services. If we become aware that we have collected or received personal data from a minor, we may without warning or notice delete such personal data. Please contact us if you have reason to believe that this is the case.

Spam Policy

You must use Enalyzer in accordance with Enalyzer’s current terms and conditions. If your usage of Enalyzer violates the terms and conditions, Enalyzer may issue a warning, suspend or terminate your account. Please note, that Enalyzer can change their terms and conditions at any time and it is your responsibility to stay updated and adhere to these.

Enalyzer has a zero-tolerance policy towards spam. This means, that all email recipients must have opted to receive messages from the sender, i.e. you. Users, who send unsolicited emails may be terminated. It is your responsibility to ensure that the emails you send out in connection with your surveys are not marked as spam or have a higher refusal rate than the industry standard. If Enalyzer determines that your level of spam reports or your refusal rate is higher than the industry standard, Enalyzer has the sole discretion to suspend or terminate your usage of their website and services. If you have low response rates, high misuse rates or high spam rates, Enalyzer may request further information regarding your mailing lists to investigate and try to solve the issue or, in some cases, suspend or take away email privileges from your account. Emails that you send via Enalyzer must have a valid reply-to address, which is owned or controlled by you. You may only use Enalyzer to send emails to recipients who have given their explicit consent, or to those whose email addresses you have because of their relationship with you as a supplier, client or employee.

Enalyzer forbids the use of email address harvesting. Enalyzer will terminate accounts that violate this prohibition. Enalyzer forbids the use of third-party purchased or rented mailing lists unless you are able to document that the people on the list have opted to receive emails of the type you are going to send them. You must not send emails to newsgroups, internet forums, distribution lists, or email addresses you have obtained without permission. You must not use Enalyzer to send emails with misleading subject lines, fake or misleading subject lines, and headlines.


Terms of Use


Welcome to Enalyzer. Please read the following Terms of Use carefully, as it contains the legal terms and conditions that you have agreed to when you access or use Enalyzer services as described in Clause 2 (hereinafter the "Service"). In addition to these Terms of Use, Enalyzer’s Security Policy, Privacy Policy and Enalyzer Data Processing Agreement, available at Enalyzer website, shall apply. If you are acting on behalf of someone else, such as a business entity, a company etc., you agree that you are authorized to enter into this free or paid subscription agreement (hereinafter the "Subscription”). By entering into the Subscription you confirm that you yourself or the entity you represent is party to the Subscription (hereinafter the "Customer") and that Customer is bound by the Subscription and the terms and conditions set out in these Terms of Use, Enalyzer’s Security Policy, Privacy Policy and Enalyzer Data Processing Agreement.

The use of the Service is limited to the specific persons stated in the Acceptance Form (hereinafter "User" or "Users"). Each User will have a unique and personal license to access the Service. An individual user name and password per User will be allotted. User names and passwords may not be transferred to any other person without the acceptance of Enalyzer.

1. Commencement, term and termination

1. The Services are operated by Enalyzer Software A/S, CVR No. 32443591, Refshalevej 147, 1432 Copenhagen K, Denmark ("Enalyzer"). 2. The Subscription takes effect upon the acceptance by, or on behalf of, the Customer.

2. Free Subscription shall be valid for an indefinite period. Paid Subscription shall be valid for the period chosen by you (the "Subscription Period").

3. After the end of any paid Subscription Period the Subscription continues on the same terms for a new Subscription Period of the same length as the preceding Subscription Period unless terminated by the Customer prior to the end of the current Subscription Period by logging in and unsubscribing on the account settings of the Enalyzer website, or unless terminated before the end of the current Subscription Period by Enalyzer by email to the Customer. If not terminated prior to the end of a Subscription Period the Subscription will continue for a new Subscription Period, consecutively, and if payment for the preceding Subscription Period has been made by credit card, payment will be automatically credited from the credit card account used by the Customer for the preceding payment. The Customer hereby expressly accepts such automatic payment.

4. A free subscription does not terminate until terminated by the User or by Enalyzer.

5. Terminated paid Subscriptions are automatically downgraded to the limited free Subscription from where the use of the Service can be fully terminated.

2. The Service

1. Enalyzer provides various online data processing services including among others a survey and reporting tool. Enalyzer’s data processing services consist of software developed by Enalyzer with access to an online platform and a number of servers operated by or on behalf of Enalyzer in the EU (the "Service").

2. The Service may also include consultancy services, support services and/or education services, either offered for free or against payment through a separate agreement.

3. The Service is a standard service and Enalyzer does not guarantee that the Service meets the Customer’s particular requirements, nor that use of the Service will lead to specific results for the Customer.

4. Enalyzer supports the most common browsers, in their most recent versions. Enalyzer’s online platform is continuously updated to support new browsers and new versions of existing browsers, as they become common in the market.

3. Registration

1. The Customer undertakes to give complete and accurate information, when creating a User access to the Service. The Customer shall without undue delay inform Enalyzer of any changes in this information.

2. The Customer shall ensure the secure and confidential storage of username and password for the Service. Should the Customer become aware that the username or password is abused, or should any other unauthorized use of the Service take place, the Customer shall inform Enalyzer hereof immediately.

3. If Enalyzer has probable cause to suspect any abuse of the Service or missing Subscriptions, Enalyzer shall inform the Customer and take the necessary measures, including denial of access to the Service.

4. Enalyzer’s obligations

1. The Customer's use of the Service implies that Enalyzer will be processing data, including personal data, belonging to the Customer. Consequently, Enalyzer and the Customer hereby enter into the Enalyzer Data Processing Agreement with Enalyzer as the Data Processor and the Customer as the Data Controller. In the event of any conflict between these Terms of Use and the Enalyzer Data Processing Agreement in relation to the processing of personal data, the terms of the Enalyzer Data Processing Agreement shall prevail.

2. Enalyzer uses a third party cloud-platform for hosting of the Service and shall store the Customer's data in a secure manner as further described in the Enalyzer Data Processing Agreement. Enalyzer shall not disclose Customer’s data without the written consent of the Customer.

3. Enalyzer shall provide a secure technical platform, which shall be constantly monitored and maintained by a reputable hosting supplier, cf. Enalyzer’s Security Policy and Privacy Policy.

4. In case of system failure Enalyzer shall, as quickly as possible, initiate a restart of the Service. Enalyzer cannot be held liable for any loss, directly or indirectly attributable to a system failure, unless this failure is due to willful misconduct or gross negligence on the part of Enalyzer.

5. Enalyzer acknowledges that data is collected on behalf of the Customer and that the rights to this data belong to the Customer. However, Enalyzer has the right to analyze the Customer’s use of the Service in order to improve the Service and develop new services as described in the Privacy Policy regarding use of the Customer Data.

6. Enalyzer endeavors to ensure that the Service is run as securely and stably as possible in accordance with good IT practice. Enalyzer has designed the Service in accordance with good, professional practice and has implemented appropriate security measures for the operation of Enalyzer’s online platform and the Service to ensure ongoing confidentiality, integrity, availability and resilience. Enalyzer will use all reasonable means to ensure that the Service is at all times operational and accessible to the Customer or respondents, and that specific transactions may at all times, or at any given time, be initiated and/or carried out on the Service. Enalyzer’s security measures and compliance with the General Data Protection Regulation (GDPR) is described in more detail in Enalyzer’s Security Policy. Notwithstanding the foregoing, the Service is delivered “as is” and to the extent permitted by law Enalyzer disclaims all guarantees, whether explicit or implied or by law, including but not limited to fitness for a particular purpose, and does not guarantee faultless functionality, including that the Service cannot be exposed to hacker attacks, or other unauthorized access to the Service, i.e. in the form of forced entry into the IT systems on which the Service is based.

7. Enalyzer is entitled to shut off access to the Service completely, or in part, due to security or operational reasons. If reasonably possible Enalyzer shall prior hereto give the Customer an adequate notice.

5. The obligations of the Customer

1. The Customer undertakes to use the Service in accordance with the instructions provided by Enalyzer at any time, including this Subscription. The Customer shall not attempt to break into the underlying database or any other system resources. Equally, the Service must not be used in any way, which can be said to be detrimental to Enalyzer or any third party, and consequently the Customer must not use the Services for purposes such as spamming.

2. The Customer guarantees Enalyzer that the Customer’s use of the Service is lawful in respect of all applicable legislation in any country where the Service is used, including in compliance with any Marketing Practices Act and any Data Protection Act including the General Data Protection Regulation (GDPR). The Customer is solely liable to respondents and third parties for any claims resulting from the Customer’s use of the Service.

3.. The service is not meant for and must not be used by minors. “Minors” are persons under the age of 13 years (or under such higher age that apply under applicable law in the relevant country to consider a person of legal age).

6. Marketing and service information

Enalyzer may contact Customer, its Users and other employees directly by email for marketing purposes only if they have consented to it. If Customer or its Users have provided Enalyzer with their email address in connection with the usage of the Service, Enalyzer may also use these emails to market similar services. Customer and its Users can always withdraw a consent to direct marketing by e-mail and/or opt out from our marketing communication to you.

Enalyzer may also use Customer’s and its Users’ e-mails to provide information about service and support information such as services updates, new features and other information regarding improvement of Customer’s use of the Service and its functionality and features.

7. Prices and payment

1. All price information is stated on Enalyzer’s website in the indicated currency. Invoicing will include Danish VAT of 25% and other applicable taxes.

2. Enalyzer can adjust the prices on the Service to take effect from a new Subscription Period, with a written notice to the Customer of minimum 30 days prior to the commencement of a new Subscription Period.

8. Intellectual Property Rights

1. The Customer holds all rights to own content and data, including personal data on the Customer’s employees or customers and other respondents and any related analysis. Enalyzer shall have no rights to use Customer’s content or data except for the limited rights that is acquired to provide the Service to the Customer or as otherwise described in the Subscription or Enalyzer’s Privacy Policy.

2. Enalyzer holds all rights in and to the Service and its individual components, including name, logo, other trademarks, programming, databases, catalogues, design, graphics and texts, unless such material originally belongs to the Customer. This also applies to all other material given to the Customer.

3. The Customer shall not, without a written agreement with Enalyzer, use the Service or any other material to which Enalyzer holds the rights. However, the Customer acquires the right of use to graphic elements and text, resulting from analysis carried out on behalf of the Customer.

4. The Customer’s License to the Service and any other material, to which the Customer acquires the right of use or copyright, is conditional upon the Customer’s payment of the remuneration agreed upon.

5. Each party shall indemnify the other party for any loss occurred due to claims from a third party that information, design, specifications, software, data and other entities, delivered by the party in question infringes third party rights.

9. Limitation of liability and damages

1. The parties are liable in damages in accordance with the general rules of Danish law.

2. However, neither party is liable for indirect loss, including loss of data. Thus, Enalyzer is i.e. not liable for any acts carried out on the basis of analysis prepared by way of the Service.

3. Enalyzer’s liability in damages with respect to the Service and the Subscription is limited to the amount paid to Enalyzer by the Customer, regarding the Subscription for a period of 12 months prior to the accrual of the claim. In the event of free Subscription the amount is limited to the lowest applicable price of a paid Subscription for a period of 12 months prior to the accrual of the claim.

10. Force majeure

1. The parties are in no event liable for the performance of their obligations under the Subscription, if the failure to perform is due to force majeure. Force majeure shall mean situations such as strike, lockout, rebellion, acts of war, disease epidemics, natural disasters and fire, outside the parties control and which the parties, when entering into the Subscription, neither could foresee, nor ought to have avoided or overcome.

11. Confidentiality

1. Each party undertakes to keep know-how, business secrets, personal and customer information or other confidential information, confidential.

2. The duty of confidentiality does not apply to information, which was available to the public at the time of disclosure, or if the other party can prove that the party receiving such information was already familiar with the information when receiving it, or if the information in question was otherwise lawfully available to the recipient at this point in time.

3. Each party undertakes, in respect of the other party, to impose a similar duty of confidentiality on employees and sub-suppliers.

12. Breach

1. No refund of prepayments shall take place in case of termination of the Subscription by the Customer.

2. Either party can terminate the Subscription with immediate effect in case of the material breach on the part of the other party, which if capable of remedy has not been remedied within the expiry of a written notice of thirty (30) days from the party in breach. Material breach occurs if: a) the Customer uses the Service contrary to their purpose, b) the Customer unlawfully copies trademarks, software or other items belonging to Enalyzer, c) the Customer’ failure to comply with its obligations provided by clause 5 of the Subscription.

3. In case of termination due to the Customer’s material breach any prepaid amounts are not refunded. In case of termination due to material breach on the part of Enalyzer, or if the subscription is terminated by Enalyzer, any prepayments in respect of the actual Subscription Period will be refunded on a pro rata basis. Beyond this, the Customer is not entitled to any refunds in connection with termination.

4. If the Customer wishes to object to a defect in the Service, this must take place without undue delay and one week at the latest following the occurrence of the defect.

5. Enalyzer cannot be held liable for any defects in the Service to which the Customer has not objected six (6) months at the latest after the Service being delivered to the Customer.

13. Assignment

1. The Customer is not entitled to assign its rights or obligations under the Subscription to any other party.

2. Enalyzer is entitled to assign its rights and obligations under the Subscription to any bona fide third parties.

14. Venue and governing law

1. Any disputes related to this Subscription, or agreements to which these terms of Subscription apply, shall be brought before the courts, with the City Court of Copenhagen as the court of first instance.

2. Danish substantive law shall apply without regard to its principles of conflicts of law.

15. Effective Date and modifications

The Subscription is effective by 25 May 2018.

Enalyzer is entitled to amend the terms of the Subscription with not less than 30 days’ notice. In such case Enalyzer will inform the Customer and also post any changes on Enalyzer’s website.


Data Processing Agreement

ENALYZER DATA PROCESSING AGREEMENT


(Last revised and updated 22.03.2021. Click here to see the prior version until 22.03.2021).

This Addendum constitutes an integral part of the Data Processing Agreement between Enalyzer and the Customer, if the Customer enables the AI Features and accepts the Addendum within Enalyzers survey software. (Effective by 10. November 2023)

Applicable to the agreement(s) entered into by Enalyzer Software A/S and the customer regarding the use of Enalyzers services.

Please be aware, if you are a user of our other products, Enalyzer Survey Solution and Enalyzer Relations Panel, the following Data Processing Agreement also applies.

BETWEEN:

Customer hereinafter referred to as “Controller”

and

Enalyzer Software A/S, CVR-No. 32443591, having its registered office at Refshalevej 147, 1431 Copenhagen, Denmark, hereinafter referred to as "Enalyzer" or “Processor”

collectively referred to as “Parties” and individually referred to as “Party”



WHEREAS


  1. Processor offers various online software services including among others a survey and reporting tool to Controller via Processor’s online platform (“Processor’s Services”) which include processing of “Personal Data” (as defined under clause 1.3). In that capacity, the Processor is a data processor in a legal sense.
  2. Controller intends to use Processor’s Services. By usage of Processor’s Services, Controller may share Personal Data of its Data Subjects with Processor and is in that capacity a data controller in a legal sense.
  3. Parties acknowledge and agree that Controller solely determines the means and purposes for the processing of Personal Data by Processor.
  4. The purpose of the Agreement is to ensure the Parties' compliance with Article 28 (3) of the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the GDPR") stipulating specific requirements to the content of a data processing agreement.
  5. In this Agreement, the Parties wish to set out the subject matter and duration of the processing of Personal Data, the nature and purpose of the processing, the type of Personal Data and categories of data subjects and the obligations and rights of the Parties.
  6. In the event of any discrepancies between this Agreement and any other agreements between the Parties, including the Main Agreement (as defined in clause 1.9), concerning a matter in relation to the processing of Personal Data, the terms of this Agreement shall prevail.



THE CONTROLLER AND THE PROCESSOR HAVE AGREED


as follows in order to ensure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals with regard to the processing of Personal Data as specified in Appendix 1:

1. Definitions

1.1. In addition to the definitions used elsewhere in this Agreement, the definitions set out below shall apply and have the meaning set out therein.

1.2. ‘Agreement’ shall mean this data processing agreement including its appendices, which forms an integral part of the data processing agreement.

1.3. ‘Personal Data’ shall mean any information Processed by Processor in connection with the provision of the Processors’ Services under this Agreement relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity of that person.

1.4. ‘Processing’ shall mean any operation or set of operations by Processor in connection with the Agreement, which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.5. 'Sub-processor' shall mean any processor engaged by the Processor for the Processing of Personal Data on behalf of the Controller.

1.6. 'Third Country' shall mean countries outside the EU.

1.7. ‘Third Party’ shall mean any natural or legal person, public authority, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to Process the Personal Data based on the Main Agreement.

1.8. ‘Personal Data Breach’ shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

1.9. ‘Main Agreement’ shall mean the creation of an account and/or any other agreement entered into between Controller and Processor regarding the use of Processor’s Services.

1.10. ‘Processor’s Services’ shall mean (i) the various online software services rendered by Processor pursuant to the Main Agreement, including among others provision of a survey and reporting tool and hosting of Controller's data, including Personal Data and/or (ii) support and/or education services provided by the Processor from time to time to the Controller.

1.11. ‘EU’ shall mean the European Union including the European Economic Area (EEA).


2. Scope and details of Processing and instruction to the Processor

2.1. The details of the Processing of Personal Data, and in particular the categories of Data Subjects, types of Personal Data and the purposes for which they are Processed, are specified in Appendix 1.

2.2. The Controller hereby authorises the Processor to Process the Personal Data on behalf of the Controller on the terms and conditions set out in this Agreement. The Processor shall Process the Personal Data only on documented instructions from the Controller, see Appendix 2.

2.3. The Parties agree that this Agreement shall constitute the instructions as of the date of the Agreement.

2.4. The Controller may at any time amend or specify the instructions in accordance with clause 11 of this Agreement. Notwithstanding the foregoing, clause 11 can only be amended according to written mutual agreement between the Parties.


3. Security measures

3.1. The Processor agrees to implement appropriate technical and organisational measures in such a manner that the Processing of the Personal Data will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects.

3.2. The details of the security measures taken by Processor in this respect of the Processing of Personal Data, are specified in Appendix 2.

3.3. The Parties agree that the technical and organisational measures and level of security set out in Appendix 2 are sufficient to comply with the Processor’s obligations set lout in this clause 3 at the time of the conclusion of this Agreement.

3.4. If the Controller after the conclusion of this Agreement based on its own security and risk assessment requests that the Processor shall implement additional security measures or other technical or organisational measures than agreed to in Appendix 2, such request shall be handled in accordance with and is subject to clause 11 of this Agreement.


4. Obligations of the Controller

4.1. The Controller agrees to ensure that the Controller always collects and processes Personal Data in accordance with and do not violate the relevant provisions of the GDPR and other applicable EU and national data protection law in the Member State in which, the Controller is established.

4.2. The Controller shall immediately notify the Processor in writing after becoming aware of any possible unauthorised use of log-in information, passwords, credentials or other security breaches in the Controller’s systems, at the Controller’s premises or otherwise under the Controller’s responsibility that are or may be related to or have an impact on the Processor’s Processing of Personal Data under this Agreement.


5. Obligations of the Processor

The Processor agrees:

5.1. to Process the Personal Data in accordance with the security measures set out in Appendix 2 and any measures that may have been mutually agreed in accordance with clause 11 of this Agreement;

5.2. to Process Personal Data only in accordance with the written instructions from the Controller, cf. clause 2 of this Agreement, including with regard to transfers of Personal Data to a Third Country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;

5.3. where necessary and taking into account the nature of the Processing, to assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation by law to respond to requests for exercising the Data Subjects’ rights laid down in chapter III of the GDPR;

5.4. where necessary and taking into account the nature of the Processing, to assist the Controller in its compliance with an obligation to carry out a data protection impact assessment (“DPIA”) and prior consulting of supervisory authorities where required, cf. articles 35 and 36 of the GDPR;

5.5. to provide Controller upon request and within reasonable time the information necessary to demonstrate compliance with the obligations laid down in this clause 5;

5.6. to cooperate (including representatives of Processor), on the Controller’s request, with the supervisory authority in the performance of its tasks;

5.7. to allow for and contribute during normal business hours to reasonably necessary audits including inspections, conducted by an external qualified auditor mandated by the Controller, solely for the purpose of fulfilment of the Controller's obligations laid down in Article 28 of the GDPR and for accurately stipulated research questions in this connection provided that such external qualified auditor is subject to and bound by confidentiality obligations as stipulated in clause 12 of this Agreement;

5.8. to once a year make an audit report available on the Processor’s website with information indicating that the Processor complies with the Agreement. The report shall be prepared at the Processor's expense based on applicable, acknowledged audit standards, e.g. ISAE 3000 or 3402 or similar;

5.9. to notify Controller in the event of a Personal Data Breach as set out in clause 6 of this Agreement;

5.10. to notify Controller in the event that a supervisory authority contacts Processor in relation to the Processing of Personal Data, insofar as permitted by law.


6. Cost for Processor’s assistance and audits

6.1. If the Controller requires assistance from the Processor or the Processor’s Sub-processors pursuant to clauses 5.3, 5.4, 5.5, 5.6 and/or 5.7, the Processor shall be entitled to payment from the Controller for such assistance at the hourly rates and compensation of costs as set out in Appendix 3.

6.2. If the Controller requires additional audit reporting or additional other similar documentation than what is covered and comprised by the annual audit report prepared by the Processor, see clause 5.8, the Processor shall be entitle to payment from the Controller for the preparation of such additional reporting and documentation in accordance with the hourly rates and compensation of costs as out in Appendix 3.

6.3. Notwithstanding clauses 6.1 and 6.2, Processor is not entitled to payment for assistance or additional reporting or documentation if the Controller’s request arises out of circumstances, which are attributable to Processor’s breach of security or Processor’s breach of its obligations as set out in this Agreement.


7. Personal Data breach

7.1. Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach.

7.2. The aforementioned notification shall describe the nature of the Personal Data Breach including where possible: (i) the (estimated) time of the Personal Data Breach; (ii) the likely consequences of the Personal Data Breach and (iii) reasonable measures taken or proposed by the Processor to mitigate the consequences of the Personal Data Breach.


8. Records of Processing activities

8.1. The Processor shall maintain, in written and electronic form, records of all categories of Processing activities carried out on behalf of the Controller according to the Main Agreement.

8.2. The Processor shall make the records available to the supervisory authority on request.


9. Deletion of Personal Data

9.1. Processor will give Controller access to system functionality in order for the Controller to delete and/or return (i.e. export) any and all of Controller’s data including the Personal Data during the term of the Agreement and/or upon the termination of the Agreement, see clause 14.

9.2. The process and timeframes for deletion of Controller’s data including the Personal Data are described in Appendix 4.

9.3. If Controller requests the Processor’s assistance to delete and/or return (i.e. export) the Controller’s data including the Personal Data during the term of the Agreement and/or upon the termination of the Agreement, see clause 14, such assistance shall be rendered by Processor at Controller’s expense and is charged under the conditions set out in Appendix 4.


10. Sub-processing

10.1. The Processor shall not engage a Sub-processor, unless this is approved by the Controller by (i) a general or specific authorisation according to Appendix 5 to this Agreement, or (ii) specific instruction from the Controller.

10.2. In the event that Processor engages Sub-processors for carrying out Processing activities on behalf of the Controller in accordance with Appendix 5, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-processor by way of a contract or other legal act under EU or national Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of this Agreement.

10.3. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. However, the Controller cannot object to any intended changes concerning the addition or replacement of Sub-processors if the new Sub-processor provides sufficient guarantees with respect to implementation of appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR as outlined in this Agreement. If the Controller does not object to changes concerning the addition or replacement of Sub-processors within 30 days from the Processor’s notification of the intended changes, such changes shall be deemed to be accepted by the Controller.

10.4. Processor shall remain liable to the Controller for a Sub-processor's fulfilment of its data protection obligations.

10.5. The Controller may request in writing that the Processor demonstrates its Sub-Processor’s compliance with the obligations laid down in Article 28 of the GDPR. In such case, the Processor shall be entitled to fulfil this obligation by the audit reports (or similar documentation) that the respective Sub-Processors prepare and make available for this purpose. The foregoing is on the condition that such audit reports etc. contain information stating that the Sub-Processor in question complies with the GDPR and provided that such audit report(s) or similar documentation shall be based on applicable, acknowledged audit standards, such as ISAE 3000 or 3402 or similar standards. Any additional audit reporting or additional other similar documentation requested by the Controller will be at the Controller’s cost and expenses and is charged under the conditions set out in Appendix 3.


11. Change of instructions

11.1. Prior to any change of the instructions given by the Controller, see clause 2, the Parties shall to the widest possible extent discuss in good faith, and if possible agree on, reasonable terms for the implementation of such changes, including the implementation period and the related costs.

11.2. The Processor shall use reasonable endeavours to comply with any legislative changes. However, the Processor shall not be obligated to implement any change of the instructions if the Parties cannot in good faith agree to reasonable terms for the implementation. If the Parties fail to agree in good faith to reasonable terms regarding change of the instructions each Party shall be entitled to terminate this Agreement with a written notice of 60 days, provided that such changes are deemed necessary to comply with the GDPR or other applicable EU or national data protection laws and regulation. The Main Agreement and any other agreement between the Parties involving Processing of Personal Data shall automatically terminate at the same time.

11.3. Unless otherwise agreed the following applies:

(i) The Processor shall without undue delay initiate implementation of agreed changes of the instructions and shall ensure that such changes are implemented without undue delay in relation to the nature and extent of the changes;

(ii) The Processor is entitled to payment of all costs directly connected with changes of the instructions, including implementation costs and increases costs for delivery of the Services;

(iii) The Controller must without undue delay be informed of the indicative estimate of the implementation period and the related costs;

(iv) Changes to the instructions are not regarded as being in force until the time when such changes have been implemented, provided that the implementation of such changes is carried out in accordance with this clause 11.2;

(v) The Processor is exempt from liability towards the Controller for failure to deliver the Services to the extent (including in terms of time) that delivery of the Services will be contrary to the changed instructions, or delivery in accordance with the changed instructions is impossible. This may be the case in the event that (i) the changes cannot be made due to technical, practical or legal reasons, (ii) the Controller explicitly states that the changes are to apply before implementation is possible, or (iii) during the period until the Parties carry through any necessary changes of the Agreement in accordance with the amendment procedures herein.


12. Confidentiality

12.1. Neither Party shall disclose any confidential information. This information includes, but is not limited to Personal Data, documents marked "confidential", information of which the confidential nature must be assumed and information that has not been made publicly available by any Party.

12.2. A Party may only disclose confidential information when obliged by applicable law or unless otherwise agreed upon, signed in writing.

12.3. Processor ensures that persons authorised by it to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

12.4. The Processor must ensure that the persons performing work for the Processor and who have access to Personal Data, only process such Personal Data as instructed by the Controller, unless processing is required under applicable EU law or national legislation.


13. Liability

13.1. The Processor is liable for damages in accordance with the general rules of Danish law subject to the terms set out in this clause 13.

13.2. Notwithstanding any limitations of the Processor’s liability set out in this clause 13, the Processor shall be liable for documented loss suffered or costs incurred by the Controller due to the Processor’s wilful misconduct or gross negligence or due to the Processor's failure to comply with its mandatory obligations towards a supervisory authority.

13.3. The Processor has taken out a Professional Indemnity & Cyber Insurance with an insurance coverage of EUR 1,250,000 per claim and in the annual aggregate (the “Insurance Policy”). In any case, the Processor’s liability is limited to the amount that is paid out in that specific case under the Insurance Policy, and if applicable, increased by the deductible.

13.4. If for whatever reason, the Insurance Policy does not entitle Processor to any payment, the Processor's liability will in any case be limited to direct damages, with a maximum amount of three (3) times the sum invoiced to Controller pursuant to the Main Agreement in the foregoing twelve (12) months after a claim was made.

13.5. The Processor shall not be liable to pay damages for any indirect, consequential or incidental loss or damages including but not limited to loss of goodwill, loss of expected profit and/or loss of operation, arising out of or in connection with the Agreement.

13.6. The Processor shall not be liable for loss or damages if caused by the Controller’s failure to comply with its obligations according to applicable EU or national data protection laws and regulations or this Agreement. Nor shall the Processor be liable for loss or damages in the event of the Controller’s breach of the Main Agreement and/or other agreement between the Parties involving Processing of Personal Data, or the Controller’s failure to comply with its obligations towards a supervisory authority.

13.7. Any claims put forward by the Controller for compensation of damages will expire 12 months after the date on which the Controller became aware of or ought to have become aware of said damage.


14. Term and Termination of the Agreement

14.1. The commencement date of the Agreement is the same date as the commencement date of the Main Agreement.

14.2. The termination of the Agreement does not affect provisions relating to confidentiality and those provisions, which by nature are intended to survive the termination.

14.3. This Agreement forms an integral part of the Main Agreement, and consequently terminates simultaneously with the termination of the Main Agreement.

14.4. A Party may terminate the Main Agreement in the event of the other Party’s material breach of this Agreement. Where such breach is capable of being remedied, a Party may only terminate the Main Agreement if the breaching Party has not remedied such breach within 30 days after giving written notice of such breach and the consequences of failure to remedy the breach.

14.5. Notwithstanding termination of this Agreement according to this clause 14, the Agreement shall be force for as long as the Processor Processes Personal Data on behalf of the Controller, for example in respect of the deletion processes described in Appendix 4.


15. Governing Law and amendments

15.1. The legal relationship between Controller and Processor is exclusively governed by the laws of Denmark without regard to its principles of conflicts of law. Disputes between the Parties will, in the first instance, be exclusively resolved by and subject to the District Court of Copenhagen, Denmark as venue.

15.2. In the event that Parties agree to amend the Agreement, said amendments shall be attached to the Agreement in an additional Appendix 6. Amendments to the Agreement are only valid if the provisions concerned in the Agreement are explicitly referred to (when applicable) and explicitly derogated from; and only if the appendix is signed and dated by both Parties.


Appendix 1 Details of Processing of Personal Data


This Appendix forms part of the Agreement.

1. Description of the activities by the Processor relevant to the Processing of Controller’s Personal Data:

1.1. Depending on the scope and nature of the Main Agreement, the activities to be performed by the Processor under this Agreement relevant to the Processing of Personal Data may include the following:

1.1.1. Provision of various online data processing Services including among others a survey and reporting tool via software solutions and platform made available from enalyzer.com.

1.1.2. Hosting of Personal Data.

1.1.3. Provision of support and/or education Services.


2. Third Party Integration Services

2.1. As part of the Main Agreement, when using Enalyzer the Controller can choose to connect to various integration services and/or applications using third party software (“Third Party Integration Services). Some of these Third Party Integration Services are made available to the Controller by the Processor’s Sub-processors (see Appendix 5), whereas other Third Party Integration Services are offered to the Controller by independent service providers that are not Sub-processors of the Processor. In such case, the Controller must enter into a separate agreement with the third party service provider.


3. Data Subjects

3.1. The Controller will import Personal Data to the Services for Processing by Processor that may concern any of the following categories of Data Subjects, including but not limited to:

3.1.1. Controller’s employees, board members and officers

3.1.2. Controller’s customers, clients and other business partners

3.1.3. Citizens of Controller

3.1.4. Students, pupils and other users of public and private institutions

3.1.5. Children

3.1.6. Patients and relatives

3.1.7. Private users

3.1.8. Business Users

3.1.9. Members of foundations, unions, associations and/or
political originations


4. Categories of data

4.1. The Personal Data Processed may fall within any of the following categories of data:

4.1.1. Personal Data covered by GDPR article 6 including but not limited to contact information such as name, address, phone and/or mobile, gender, age, date of birth, preferences, employment position, family status etc.;

4.1.2. national identification number;

4.1.3. Personal Data covered by GDPR article 9)*;

4.1.4. Personal Data relating to criminal convictions and offences (cf. GDPR art. 10).

*GDPR art. 9 includes: data revealing racial or ethnic origin, political opinions, religious and/or philosophical beliefs, trade union membership, processing of genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health and/or data concerning a natural person's sex life or sexual orientation.

For the processing of Personal Data covered by art. 9 the Controller must obtain explicit consent from the Data Subjects.


Appendix 2


INSTRUCTIONS RE PROCESSING OF PERSONAL DATA

This Appendix forms part of the Agreement.

A. Security of Processing

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) encryption of Personal Data when transmitted via public networks and in connection with remote access to Controller’s systems;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and Services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

3. The Processor hosts the data, including Personal Data, of the Controller via Microsoft Cloud Azure. The online hosting Services are delivered from data centres solely situated within EU, in Ireland and the Netherlands.

4. The particular security measures to be taken out by the Processor under this Agreement are specified in more detail on www.enalyzer.com (Processor's Security and Privacy Protection Policies). The Controller hereby agrees that in respect of the Processor’s Processing of the Controller’s Personal Data under this Agreement the foregoing security measures constitute appropriate technical and organisational measures to ensure a level of security appropriate to the risk.


B. Third Party Integration Services

1. If the Controller uses integration services and/or applications using third party software(“Third Party Integration Services”) where the Controller must enter into a separate agreement with the independent third party service provider, see Appendix 1, clause 2, the Controller hereby authorises and instructs the Processor to perform the following Processing on behalf of the Controller:

i) provide, transmit or transfer the data, including Personal Data, of the Controller to the third party provider of the relevant Third Party Integration Service, provided and only to the extent this is necessary for the performance and use by Controller of the said integration services and/or applications, and

ii) Process data, including Personal Data, of the Controller that are transferred from the third party provider of the relevant Third Party Integration Service to the Controller’s Services with Processor.

2. It is the sole responsibility and liability of the Controller to ensure the necessary basis of lawful Processing for the transfer of the Controller’s Personal Data to and from any third party provider of a Third Party Integration Service that is used by the Controller via Enalyzer.

3. Enalyzer shall not be responsible or liable for the Processing by any third party provider of the Controller’s Personal Data in this respect.


C. Processing location

1. Processing of the Personal Data is performed by Enalyzer at the location set out below:

Refshalevej 147, 1432 Copenhagen, Denmark - by Enalyzer A/S

2. Processing of Personal Data performed by Sub-Processor’s is done at the locations set out in Appendix 5.


Appendix 3 Costs for assistance and audits


This Appendix forms part of the Agreement.

1. In the event that Controller requires assistance from the Processor or any of the Sub-processors pursuant to this Agreement, such assistance is charged as follows:

1.1. payment for time spend per person, including preparation, at an hourly rate of € 150,- excluding VAT (if applicable), and

1.2. payment of reasonable costs and expenses incurred during the course of providing a task or otherwise as a necessary part of such task or other assistance.

2. Notwithstanding clause 1.1, in the event that the applicable hourly rate charged by a Sub-processor for the required assistance exceeds the hourly rate of € 150, Enalyzer shall be entitled to payment of the difference between the hourly rate set out in clause 1.1 and the rate charged by the Sub-Processor.

3. All costs and expenses of audits or inspections required and conducted by the Controller or its representatives in respect of the Processor’s or the Processor’s Sub-processors’ compliance with article 28 of the GDPR shall be borne solely by Controller unless otherwise specifically follows from the Agreement.


Appendix 4 Deletion of data


This Appendix forms part of the Agreement.


Data deletion

The processes and time frames for deletion of the Controller’s data including Personal Data is described below.

Notwithstanding the termination of the Agreement, the Processor's Processing of the Controller’s Personal Data during the deletion periods set out below is to be regarded as taking place according to the Controller’s instructions, see also clause 14 of the Agreement.

It is the sole responsibility of the Controller that its data including the Personal Data is deleted in compliance with the GDPR.

I. The Controller’s deletion of data during the term of the Agreement

During the term of the Agreement, the Controller can delete or export its data including the Personal Data at any time by using the system functionality for deletion/export.

Upon deletion of the data by the Controller, the Processor will automatically delete the data within a period of up to 90 days, depending on the type of data (e.g. data concerning respondents will be deleted in 10 days and a whole survey project will be deleted in 90 days).

If the Controller deletes an organization, the Processor will automatically delete all data after 110 days.

In all cases, backups of data are in any case kept by the Processor for thirty (30) days after the automatic deletion has been made, where after the backups will be deleted by the Processer, unless Union or Member State law requires storage of the Personal Data.

II. Deletion or export of data upon Controller’s request

The Controller may at any time request the Processor’s assistance to perform deletion of or to export data including Personal Data subject to separate payment for these services at an hourly rate of 150 Euro.

Upon receipt of such written request from the Controller, the Processor will within a maximum of five (5) working days immediately delete or export Controller’s data in accordance with the Controller’s instructions.

Backups of all data are in any case kept by the Processor for thirty (30) days after deletion where after the backups will be deleted by the Processer, unless Union or Member State law requires storage of the Personal Data.

III. Deletion of data after the Controller’s deletion of an account

In the event that the Controller deletes its Enalyzer account, the Main Agreement will automatically terminate. In such case a grace period of twenty (20) days will take effect. The grace period is provided in case the Controller’s deletion of the account was due to a mistake.

Unless prior to the expiry of the grace period (i) the Controller informs the Processor in writing that the Controller’s deletion of the account was a mistake, or (ii) the Parties otherwise agree to continue the Main Agreement, the deletion process will automatically initiate after the expiry of the grace period and the Controller’s data including the Personal Data will be automatically deleted after ninety (90) days by the Processor.

Backups of all data are in any case kept by the Processor for thirty (30) days after deletion where after the backups will be deleted by the Processer, unless Union or Member State law requires storage of the Personal Data.



Appendix 5


Sub-processors and transfer to third countries outside EU

This Appendix forms part of the Agreement.


Sub-processors

1. The Controller hereby gives the Processor its prior general authorisation to use Sub-processors. A list of Sub-processors currently used by the Controller is set out in the table set out below.


Required Sub-Processor

Microsoft Azure is the underlying infrastructure for the entire Enalyzer software platform including hosting, database and backup storage. All data is kept within EU and provided by highly secure and scalable hosting centres in Ireland and the Netherlands. For more information on Microsoft Azure visit www.enalyzer.com.

Name Corporate Address Processing Location Hosting Platform Description of processing activity
Microsoft Corporation 1 Microsoft Way

Redmond, WA 98052

USA
Dublin, Ireland (EU)

Amsterdam, The Netherlands (EU)
Microsoft Azure Hosting Enalyzer Platform



Optional-Sub-Processors

Certain features or services within the platform, can be chosen by the user. In these cases, the following sub-processors apply.

For more information on these visit www.enalyzer.com.

Name Corporate Address Processing Location Hosting Platform Description of processing activity
MailJet

(Mailgun Technologies Inc.)
112 E Pecan St. #1135

San Antonio, TX 78205

USA
Frankfurt, Germany (EU)

Saint-Ghislain, Belgium (EU)
Google Cloud Sending of e-mails. E.g. invitations to surveys and reports. Mailjet is hosting the e-mail engine.
SendGrid

(Twilio Inc.)
375 Beale St. #300

San Francisco, CA 94105

USA
Herndon, VA (USA)

Las Vegas NV (USA)

Chicago, IL (USA)
Amazon Web Services Sending of e-mails. E.g. invitations to surveys and reports. Sendgrid is hosting the e-mail engine.
Zendesk 989 Market St

San Francisco, CA 94103

USA
Frankfurt, Germany (EU)

Dublin, Ireland (EU)
Amazon Web Services Support system. E.g. when users request support through a ticket within Enalyzer or by sending a mail to support@enalyzer.com.



Transfer of Personal Data to third countries outside EU

1. Controller hereby authorizes the Processor to transfer Personal Data for processing by its Sub-Processors at their processing locations in the third countries or territories outside EU, that are specified in above table. Processor must ensure that the transfer of the Personal Data to the third countries mentioned in the above table is lawful, including i.e. that, there is legal basis ensuring an adequate level of protection of the transferred Personal Data.

2. The legal basis for such transfer may be in the form of:

· The Commission’s decision in accordance with Art. 45(3) of the GDPR that the third countries in question ensures an adequate level of protection; or

· Standard Contractual Clauses (SCC) (Controller-Processor)

Controller hereby authorises Processor to enter into Standard Contractual Clauses (SCC) (Controller-Processor) on behalf of the Controller for the transfer to Sub-Processors outside EU in order to provide for a legal basis of transfer including such other appropriate safeguards as is required in order to ensure the lawful processing of the Personal Data in compliance with the GDPR.

Get started now

No credit card needed.

Try it for free

Questions? Call us on +45 70107006 or leave us a message

Saving changes