Security

All you need to know when using Enalyzer from a security, legal and privacy perspective

Introduction

Welcome to Enalyzer’s security and legal section. This section aims to provide you with a comprehensive overview of all you need to know when using Enalyzer, from a legal, security and privacy perspective.

The information targets users of our survey web apps*, their respondents, our website visitors, and customers we are assisting with consultant projects or other survey services. Please explore the following sections for more in-depth information:

GDPR
Security
Policies
Terms of use
Data processing agreement

If you have any questions in general related hereto, please contact our support team at support@enalyzer.com. If you have any questions specifically related to GDPR and/or the Data Processing Agreement please contact our Data protection officer, Karin Absalonsen at privacy@enalyzer.com.

- The Enalyzer Team

* If you are a user of our other Enalyzer products Enalyzer Survey Solution and Enalyzer Relations Panel, the following Security and Data Processing Agreement apply.

GDPR

Introduction

The General Data Protection Regulation (GDPR) harmonizes data privacy laws across the European Union (EU). The GDPR takes effect on May 25, 2018, and lays down rules of fundamental rights of processing and protection of personal data. Below we provide an overview of the requirements under GDPR, and how Enalyzer complies with these.

All Enalyzer account holders, whether located in the EU or outside the EU, have to comply with the rules of the GDPR, when collecting and/or processing personal data. The GDPR applies to Enalyzer account holders which have EU “establishments”, irrespective of whether the actual data processing takes place in the EU or not. Enalyzer account holders which are Non-EU established will be subject to the GDPR where they process personal data about data subjects who are in the EU in connection with (i) the “offering of goods or services” (payment is not required), or (ii) “monitoring” their behavior within the EU.

In relation to GDPR and surveying, the definitions of roles and their responsibilities play a central role.

Personal data


  • Any information relating to an identified or identifiable natural person (data subject) by an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing


  • Any operation performed on personal data, including but not limited to collection, organization, structuring, storage, alteration, use, disclosure by transmission etc.

The data subject


  • A person whose personal data is processed by a controller or processor. In this case, the data subject is the respondent.

  • The data controller


    • Determines the purpose for and how the personal data is processed. In this case, the data controller is the Enalyzer account holder who carries out the surveying and reporting.

    The data processor


    • Processes data on behalf of the Data controller according to its instructions. In this case, the data processor is Enalyzer, who processes data on behalf of and according to instructions from the Enalyzer account holder (data controller).

    Under the GDPR, Personal Data comprises the following categories of data:

    – Non-sensitive data (cf. GDPR article 6) of any kind including but not limited to contact information such as name, address, phone and/or mobile, gender, age, date of birth, preferences, employment position, family status etc.
    – Sensitive data (cf. GDPR article 9)*
    – Data relating to criminal convictions and offenses (cf. GDPR art. 10).
    – National identification number may be regulated by national law of the Member states.

    *Sensitive data includes: data revealing racial or ethnic origin, political opinions, religious and/or philosophical beliefs, trade union membership, processing of genetic data or bio metric data for the purpose of uniquely identifying a natural person, data concerning health and/or data concerning a natural person's sex life or sexual orientation. Processing of sensitive data requires explicit consent or other particular legal bases.

    Rights of respondents (data subjects)



    The respondent generally has the right to obtain the following information from the Enalyzer account holder (data controller) which must be given upon the Enalyzer account holder’s collection or receipt of the respondent’s personal data:

    – the identity and the contact details of the Enalyzer account holder (data controller)
    – the contact details of the data protection officer, where applicable
    – the purpose of the processing and the legal basis for the processing
    – the categories of personal data concerned. If there is an intent to transfer personal data to a third country outside EU
    – the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
    – the recipients to whom the personal data have been or will be disclosed
    – the right to rectification (update or correct) inaccurate personal data concerning him/her
    – the right to erase personal data concerning him/her without undue delay
    – the right to restrict the processing of personal data
    – the right to object to the processing of personal data
    – the right to receive a copy of the personal data concerning him/her
    – the right to data portability, in order to transfer the personal data
    – the right to complain to a supervisory authority

    For the full law text and obligations of the Enalyzer account holder as data controller, please visit https://gdpr-info.eu/chapter-3/

    As stated above all respondents must contact the Enalyzer account holder, who is the data controller and administrator of the survey, to exercise their rights. As a data processor, Enalyzer is not responsible for this. Enalyzer will, therefore, refer all requests from respondents to the account holder.

    Obligations for the Enalyzer account holder (data controller)


    When personal data is collected or received by the Enalyzer account holder from the respondents the Enalyzer account holder must inform the respondents about their rights as stated above.

    For the full law text and obligations of the Enalyzer account holder as data controller, please visit https://gdpr-info.eu/chapter-3/

    Enalyzer account holders (as data controller), are solely responsible for giving information to the respondents in a clear language, according to the aforementioned. Moreover, the Enalyzer account holders shall handle all requests from their respondents with respect to rectification, erasure/deletion, restriction of processing, etc. of personal data and to provide a copy of responses etc. with personal data upon request from the respondent.

    In relation hereto, Enalyzer is committed to providing and developing features that will improve the Enalyzer account holders’ administration and executing of these rights. If you should be in doubt or need help on how to handle this, please contact our support team.

    Obligations for the Enalyzer account holder (data controller) and Enalyzer (data processor)


    The data controller that is subject to GDPR, must have in place an appropriate Data Processing Agreement (DPA) with Enalyzer as their Data processor, where, among other things, secure organizational and technical measures to process data, are regulated. The DPA also sets out the instructions that the Enalyzer account holder (data controller) gives to Enalyzer regarding the processing of the personal data of the respondents, etc. and establishes the rights and responsibilities of both parties with respect to such processing.

    Using Enalyzer to manage your surveys implies that our DPA is accepted along with our Terms of Use and Privacy Policy, and serves as your entire contract with Enalyzer. All documents are aligned to meet the GDPR demands. With the above in place, Enalyzer’s provision of our services to you will be compliant with the new GDPR regulation taking place on May 25, 2018.

    The same applies to our security, where Enalyzer itself and our hosting supplier, is externally audited based on ISO27001/27002 or similar standards, to document an appropriate security level that meets the GDPR. Please visit our security section, for more information and documentation on our security.

    When Enalyzer account holders provide personal information (such as contact information, cookies, payment info, etc.) in relation to use of Enalyzer’s services and platform or when signing up to become an Enalyzer account holder, Enalyzer changes role and becomes the data controller. The same applies to Enalyzer website visitors and some metadata on respondents. Please visit our Privacy Policy for additional information on what we collect and what we do with it.

Security

At Enalyzer we do our utmost to keep our customers data safe and our web-based survey systems accessible at any time. Therefore we have engaged with Microsoft Azure, whose cloud infrastructure supports over 1 billion customers across enterprise and consumer services in 140 countries and is backed by Microsoft's $15 billion (USD) investment in global data center infrastructure. Hence as an Enalyzer customer, you get what you should expect from a high-end web app provider. Top system performance, availability and security, which has the best practice levels within the industry. In the following sections, we highlight our security’s main points. Nevertheless, since we are completely transparent, you can dig deeper and learn more about our security measures by following the relevant links for more information.

Enalyzer is also independently audited, based on the ISO27001/2700 standard, in order to secure that we provide an appropriate technical– and organizational set-up.You can access the yearly ISAE 3402 Type 1 assurance report here

Steen Ødegaard, Enalyzer CTO and Co-founder

Please be aware, if you are a user of our other Enalyzer products, Enalyzer Survey Solution and Enalyzer Relations Panel, the following Security applies.

Platform security

Data centers

Enalyzer is hosted at two separate data centers in the Netherlands and Ireland, with real-time replication of data between the two. Uptime is guaranteed at 99,9 %. These data centers comply with industry standards, such as ISO 27001, for physical security and availability. Each facility is designed to run 24x7x365 and employs various measures to help protect operations from power failure, physical intrusion, and network outages. Read more about the location of the data centers.

Network Protection

Azure networking provides the infrastructure necessary to securely connect virtual servers to one another and to connect on-site datacenters with Azure servers. Azure blocks unauthorized traffic to and within the datacenters by using a variety of technologies such as firewalls, partitioned local area networks, and the physical separation of back-end servers from public-facing interfaces.

Data Protection

Enalyzer encrypts data and safeguards customer data. Enalyzer encrypts data in storage and in transit to align with best practices for protecting confidentiality and data integrity. In order to protect customers against online threats, the platform uses Antimalware for cloud services and virtual machines, and uses detection and mitigation techniques to protect against DDoS attacks.

Monitoring and access management

Centralized monitoring and analysis systems provides continuous visibility and timely alerts to the teams that manage the service. There are rigid controls that restrict access to Azure by Microsoft employees.Accordingly, Enalyzer also has strict internal procedures describing whom from Enalyzer can access the Azure platform, and when the Azure platform can be accessed.

Penetration testing

Microsoft undertakes regular penetration testing to improve Azure security controls and processes.

Product security

Login safety

Enalyzer systems are delivered as SaaS systems and can be accessed through any modern web browser.All users have separate usernames and passwords. Multiple failed sign-in attempts to the same account results in a temporary lockout, which is automatically reactivated after 5 minutes. Simultaneously, the account user will be informed by email about the failed sign-in attempts. Multiple failed login attempts from the same IP Address, enhances the security process by using Captcha security technology.

Encryption

All sign in and password information to the application is encrypted. Passwords are stored as hash values.All data sessions between the user and Enalyzer, within the application, is encrypted. Data collected from respondents is by default encrypted. Communication to the application from Enalyzer system administrators and developers are encrypted using VPN, and the communication to the Azure servers is only available from the Enalyzer office.

Logging

On the servers, logging is done on all internet traffic. All operations can be identified by a security token,that can be traced back to the individual user. For applications, Logging is done on all critical operations. Each log contains information about who did what and when. The log is available to the systems administrative users.

Support

The Enalyzer support team can only access an Enalyzer user account if the user has granted them access. Find more information about security

Privacy protection

Our commitment to the privacy of our customer data is backed by Microsoft’s adoption of the world’s first international code of practice for cloud privacy, ISO/IEC 27018. The British Standards Institute has independently verified that Azure is aligned with the ISO 27018 code of practice for the protection of personally identifiable information in the public cloud. Data is stored in the EU (Netherlands and Ireland) and Microsoft has undertaken contractual privacy commitments that help assure that privacy protections in the Azure platform are strong. Among the many commitments supported are:
  • - EU Model Clauses. EU data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area. Europe’s privacy regulators have determined that the contractual privacy protection Azure delivers meet current EU standards for international transfers of data.
  • - ISO/IEC 27018, which was developed to establish a uniform, international approach to protecting the privacy of personal data, stored in the cloud.
  • - Enalyzer’s own Privacy Policy also describes actions taken towards safeguarding privacy.
Find more information about privacy protection

Compliance

Our platform meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards including Australia CCSL, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits verify Azure’s adherence to the strict security controls these standards mandate. As part of our commitment to transparency, you can verify our implementation of many security controls by requesting audit results from the certifying third parties, or through your Enalyzer account representative. Find more information about compliance

Policies

Enalyzer provides various online data processing services including among others a survey and reporting tool and hosting of data. The services may also include consultancy services, support services and/or education services.

Enalyzer strives to safeguard the privacy of our customers and the data and personal data they entrust with us regarding their survey respondents and other data subjects.

In the following sections, we have broken down Enalyzer’s privacy policy for you to see what we do to protect your privacy. Enalyzer is compliant with the General Data Protection Regulation (GDPR) to the protection of your personal information. Please also read more about how we comply.

Privacy Policy

Enalyzer Customers

You own your survey data. You are the rightful owner of all data that you upload to Enalyzer when using our services, including but not limited to survey data. Consequently, all information on your respondents, used in surveys, and any other information about natural persons (your data subjects) that you process when using our services are also yours. Enalyzer’s Service is a tool for you to use. We do not sell your data to anyone. Your data is only being processed and managed according to your own actions in Enalyzer.

You are data controller. As Enalyzer customer you are the data controller of all personal data that you upload to Enalyzer when using our services. Our customers have complete control and administration rights over their surveys, analyses, reports and other services they create by using our applications, services, and platform. Consequently, as customer you must ensure that you can lawfully process all personal data that you choose to collect, upload and process in connection with your use of Enalyzer services and that you comply with all of your obligations as data controller according to applicable law. Read more about your obligations towards respondents.

Enalyzer is the data processor. Enalyzer provides online applications and services for survey creators etc. We host an online platform but have no influence on the surveys made, their distribution, and analyses that are done or on any other services created by our customers by use of our applications, services, and platform. Consequently, we host and store our customers’ survey and other personal data on behalf of our customers and according to the customers’ instruction only. The terms and conditions applicable to Enalyzer’s processing of your personal data is governed by our Data Processing Agreement. Read more about the terms and conditions.

We safeguard your personal data. Your data is physically stored in the EU, by our hosting partner. They provide secure facilities to protect your data and comply with international regulations. Read more about our security.

Enalyzer's obligations as data controller. In order for you to access and use Enalyzer services, we require some information about you as our customer. In this case, Enalyzer is data controller. You can read more about Enalyzer’s processing of your own customer information and our privacy policy in this respect below.

Survey Respondents and other Data Subjects

Enalyzer provides an online platform for survey creators and other services. We host an online platform but have no influence on the surveys made, their distribution, and analyses that are done or on any other services created by use of our applications, services and online platform. Enalyzer’s customers have complete control and administration rights over their surveys and other services. Therefore, if you, as a survey respondent or data subject in respect of any processing by our customers of your personal data, have any questions related to your survey or other service, please contact the person or organization that invited you to participate in the survey or service.

Are anonymous responses anonymous? Enalyzer provides customers with different options to collect information about their respondents/data subjects. Typically, the degree of anonymity in a survey or other service is communicated to respondents/data subjects in the invitation to the survey or other service, or in the survey or other service itself. Contact the person or organization that invited you to participate in their survey or other service for specific information about the survey or service.

Does Enalyzer sell respondent data to third parties? No. Never! We solely provide the survey platform to our customers.

Additional privacy Information for Enalyzer customers

In order for you as customers and users to access and use Enalyzer services and website we require some information about you. In respect of the collection and procession of such personal information Enalyzer acts data controller.

What information do we collect and what we do with it?

Purpose of Processing. In general, we use the information given from you directly or collected indirectly from third parties, when you use our online applications or services or visit our website for various purposes such as, giving you access to our applications or services, letting customer support handle your request, analyzing usage to improve the applications and services, sending you emails about new features and to prevent illegal activities. More specifically, we gather the following information for the following purposes of processing:

Registration information. We collect information in order for you to use our applications and services. When you sign up for an Enalyzer account, we register your username, password, and email and where necessary we also register your name, company name and address. You may also request support through our ticketing system via your email.

Billing. We require credit card information in order for you to pay for the services you acquire from Enalyzer. Enalyzer does not store your credit card details and data but have partnered up with an international well-reputed service provider, Braintree (PayPal) that facilitates and handles payment and security about your privacy, regarding your online payments.

Other Data. To improve our services to our users and develop new services, we collect, as almost any other service on the Internet, usage data like web pages visited, what you click on, cookies (read more below), device used, IP address, browser, and so forth. That goes for any navigation on our web page and our web applications. We use third-party tracking services to provide us these data.

Marketing purposes. We will only contact you if have consented to it. If you have provided us with your e-mail in connection with purchase of our services we can also use your email to market our similar services. You can always regret and opt out from our communication to you. As stated above we do not sell or share your information, unless we are forced to meet legal requirements like court orders or valid subpoenas.

What is the legal basis for the processing of your information?

The legal basis for processing of your data includes the following:

For the performance of contract, cf. art. 6(1) point (b) of the GDPR. When you sign up for and/or access Enalyzer services you accept and agree to the service agreement between you and Enalyzer including these Privacy Policy terms. Our processing of your data is necessary for Enalyzer’s performance of the agreement between you and us.

Legitimate interests pursued by Enalyzer, cf. art. 6(1) point (f) of the GDPR. Enalyzer may process your data if it is necessary to pursue our legitimate interests provided that such interests are not overridden by your fundamental rights and free-doms which require protection of your personal data. This may include processing of your data in order to improve our services including statistics and analysis of user behavior on our website.

Your consent, cf. art. 6(1) point (a) of the GDPR. We may require your consent to contact you for marketing purposes, to deliver news letters or for other purposes. You can always regret and withdraw your consent. Please note that your withdrawal of your consent will not affect the lawfulness of our processing of your personal data before your withdrawal. If you want to withdraw your consent, click here to find the relevant contact details. However, if you withdraw your consent, we may have the right to process your data according to another legal basis as stated above. In such case we will inform you about the relevant legal basis.

Transfer of your data to third parties. We do not transfer your personal data to any third parties unless and only to the ex-tent this is necessary for the purpose of our processing as set out above. This is the case for billing and handling of online payments for our services where we transfer credit card details to our service provider.

How do we safeguard your information and how long do we store it? We use a hosting partner to store and host all our data within EU. All personal data are protected by appropriate technical and organizational measures set up by our hosting partner. We use data encrypting and have rigid internal procedures to handle security of personal data. Read more about Enalyzer’s security.

Your rights as data subject. You will always be able to exert your rights as data subject. These include your right of access to your data and the right to rectification of inaccurate personal data concerning you, the right to obtain erasure of your personal data and to oppose to the processing of your personal data. You can always contact Enalyzer in regard to your exercise of these matters. Click here to find the relevant contact details.
As we are obligated to ensure that your personal data is correct and updated and since our processing also depends on this, we kindly ask you to update your profile with us with relevant changes.

Effective date and modifications. Thank you for taking your time to learn about Enalyzer’s privacy policy and thank you for trusting us with your data. This privacy policy is effective by May 25, 2018. If there are any changes, we will post them on our website and our users will be properly informed.

Contact information and Data Protection Officer. If you have any questions related to this policy, please contact us at:

Enalyzer A/S
Privacy team
Refshalevej 147
1432 Copenhagen
Denmark
privacy@enalyzer.com

Enalyzer has appointed a Data Protection Officer (DPO). Click here to find the contact details of our DPO.

Complaints. If you wish to complain about Enalyzer’s processing of your data you can always contact Enalyzer. You also have the right to lodge a complaint with the Supervisory Authority. You can find more information about your right to complain at www.datatilsynet.dk.

Minors. Enalyzer services are not meant for and must not be used by minors. “Minors” are persons under the age of 13 (or under such higher age that apply under applicable law in the relevant country to consider a person of legal age). Enalyzer does not deliberately collect personal data from minors or allow them to register and sign up for our services. If we become aware that we have collected or received personal data from a minor, we may without warning or notice delete such personal data. Please contact us if you have reason to believe that this is the case.

Spam Policy

You must use Enalyzer in accordance with Enalyzer’s current terms and conditions. If your usage of Enalyzer violates the terms and conditions, Enalyzer may issue a warning, suspend or terminate your account. Please note, that Enalyzer can change their terms and conditions at any time and it is your responsibility to stay updated and adhere to these.

Enalyzer has a zero-tolerance policy towards spam. This means, that all email recipients must have opted to receive messages from the sender, i.e. you. Users, who send unsolicited emails may be terminated. It is your responsibility to ensure that the emails you send out in connection with your surveys are not marked as spam or have a higher refusal rate than the industry standard. If Enalyzer determines that your level of spam reports or your refusal rate is higher than the industry standard, Enalyzer has the sole discretion to suspend or terminate your usage of their website and services. If you have low response rates, high misuse rates or high spam rates, Enalyzer may request further information regarding your mailing lists to investigate and try to solve the issue or, in some cases, suspend or take away email privileges from your account. Emails that you send via Enalyzer must have a valid reply-to address, which is owned or controlled by you. You may only use Enalyzer to send emails to recipients who have given their explicit consent, or to those whose email addresses you have because of their relationship with you as a supplier, client or employee.

Enalyzer forbids the use of email address harvesting. Enalyzer will terminate accounts that violate this prohibition. Enalyzer forbids the use of third-party purchased or rented mailing lists unless you are able to document that the people on the list have opted to receive emails of the type you are going to send them. You must not send emails to newsgroups, internet forums, distribution lists or email addresses you have obtained without permission. You must not use Enalyzer to send emails with misleading subject lines, fake or misleading subject lines and headlines.

Cookie Policy


A cookie is a message that a web browser stores on a user’s machine in the form of a text file. We use cookies for our website visitors, users of our web apps and finally the respondents taking a survey. More specifically, we apply the following cookie services:

– Raygun: We use it for detection alerts of our websites and web app failures.
– Azure/Itadel: The purpose is to monitor that we provide secure and stable hosting.
– Google: In order to track Google AdWords campaigns.
– Enalyzer's own technology: We use it to track usage patterns on our visitors and web app users, on an aggregate level. We also use cookies on our web apps for individual users on certain features to e.g. ease a speedy navigation in our app.

As a user you can change your browser settings to prevent new cookies from being set or delete old ones. If you decide to block cookies completely, your usage of our services might be limited.

Finally we use clear gifs in newsletters to track open rates, clicks etc. The service we use is Sendgrid. You can always opt out of our newsletter.


Terms of Use


Welcome to Enalyzer. Please read the following Terms of Use carefully, as it contains the legal terms and conditions that you have agreed to when you access or use Enalyzer services as described in Clause 2 (hereinafter the "Service"). In addition to these Terms of Use, Enalyzer’s Security Policy, Privacy Policy and Enalyzer Data Processing Agreement, available at Enalyzer website, shall apply. If you are acting on behalf of someone else, such as a business entity, a company etc., you agree that you are authorized to enter into this free or paid subscription agreement (hereinafter the "Subscription”). By entering into the Subscription you confirm that you yourself or the entity you represent is party to the Subscription (hereinafter the "Customer") and that Customer is bound by the Subscription and the terms and conditions set out in these Terms of Use, Enalyzer’s Security Policy, Privacy Policy and Enalyzer Data Processing Agreement.

The use of the Service is limited to the specific persons stated in the Acceptance Form (hereinafter "User" or "Users"). Each User will have a unique and personal license to access the Service. An individual user name and password per User will be allotted. User names and passwords may not be transferred to any other person without the acceptance of Enalyzer.

1. Commencement, term and termination

1. The Services are operated by Enalyzer Software A/S, CVR No. 32443591, Refshalevej 147, 1432 Copenhagen K, Denmark ("Enalyzer"). 2. The Subscription takes effect upon the acceptance by, or on behalf of, the Customer.

2. Free Subscription shall be valid for an indefinite period. Paid Subscription shall be valid for the period chosen by you (the "Subscription Period").

3. After the end of any paid Subscription Period the Subscription continues on the same terms for a new Subscription Period of the same length as the preceding Subscription Period unless terminated by the Customer prior to the end of the current Subscription Period by logging in and unsubscribing on the account settings of the Enalyzer website, or unless terminated before the end of the current Subscription Period by Enalyzer by email to the Customer. If not terminated prior to the end of a Subscription Period the Subscription will continue for a new Subscription Period, consecutively, and if payment for the preceding Subscription Period has been made by credit card, payment will be automatically credited from the credit card account used by the Customer for the preceding payment. The Customer hereby expressly accepts such automatic payment.

4. A free subscription does not terminate until terminated by the User or by Enalyzer.

5. Terminated paid Subscriptions are automatically downgraded to the limited free Subscription from where the use of the Service can be fully terminated.

2. The Service

1. Enalyzer provides various online data processing services including among others a survey and reporting tool. Enalyzer’s data processing services consist of software developed by Enalyzer with access to an online platform and a number of servers operated by or on behalf of Enalyzer in the EU (the "Service").

2. The Service may also include consultancy services, support services and/or education services, either offered for free or against payment through a separate agreement.

3. The Service is a standard service and Enalyzer does not guarantee that the Service meets the Customer’s particular requirements, nor that use of the Service will lead to specific results for the Customer.

4. Enalyzer supports the most common browsers, in their most recent versions. Enalyzer’s online platform is continuously updated to support new browsers and new versions of existing browsers, as they become common in the market.

3. Registration

1. The Customer undertakes to give complete and accurate information, when creating a User access to the Service. The Customer shall without undue delay inform Enalyzer of any changes in this information.

2. The Customer shall ensure the secure and confidential storage of username and password for the Service. Should the Customer become aware that the username or password is abused, or should any other unauthorized use of the Service take place, the Customer shall inform Enalyzer hereof immediately.

3. If Enalyzer has probable cause to suspect any abuse of the Service or missing Subscriptions, Enalyzer shall inform the Customer and take the necessary measures, including denial of access to the Service.

4. Enalyzer’s obligations

1. The Customer's use of the Service implies that Enalyzer will be processing data, including personal data, belonging to the Customer. Consequently, Enalyzer and the Customer hereby enter into the Enalyzer Data Processing Agreement with Enalyzer as the Data Processor and the Customer as the Data Controller. In the event of any conflict between these Terms of Use and the Enalyzer Data Processing Agreement in relation to the processing of personal data, the terms of the Enalyzer Data Processing Agreement shall prevail.

2. Enalyzer uses a third party cloud-platform for hosting of the Service and shall store the Customer's data in a secure manner as further described in the Enalyzer Data Processing Agreement. Enalyzer shall not disclose Customer’s data without the written consent of the Customer.

3. Enalyzer shall provide a secure technical platform, which shall be constantly monitored and maintained by a reputable hosting supplier, cf. Enalyzer’s Security Policy and Privacy Policy.

4. In case of system failure Enalyzer shall, as quickly as possible, initiate a restart of the Service. Enalyzer cannot be held liable for any loss, directly or indirectly attributable to a system failure, unless this failure is due to willful misconduct or gross negligence on the part of Enalyzer.

5. Enalyzer acknowledges that data is collected on behalf of the Customer and that the rights to this data belong to the Customer. However, Enalyzer has the right to analyze the Customer’s use of the Service in order to improve the Service and develop new services as described in the Privacy Policy regarding use of the Customer Data.

6. Enalyzer endeavors to ensure that the Service is run as securely and stably as possible in accordance with good IT practice. Enalyzer has designed the Service in accordance with good, professional practice and has implemented appropriate security measures for the operation of Enalyzer’s online platform and the Service to ensure ongoing confidentiality, integrity, availability and resilience. Enalyzer will use all reasonable means to ensure that the Service is at all times operational and accessible to the Customer or respondents, and that specific transactions may at all times, or at any given time, be initiated and/or carried out on the Service. Enalyzer’s security measures and compliance with the General Data Protection Regulation (GDPR) is described in more detail in Enalyzer’s Security Policy. Notwithstanding the foregoing, the Service is delivered “as is” and to the extent permitted by law Enalyzer disclaims all guarantees, whether explicit or implied or by law, including but not limited to fitness for a particular purpose, and does not guarantee faultless functionality, including that the Service cannot be exposed to hacker attacks, or other unauthorized access to the Service, i.e. in the form of forced entry into the IT systems on which the Service is based.

7. Enalyzer is entitled to shut off access to the Service completely, or in part, due to security or operational reasons. If reasonably possible Enalyzer shall prior hereto give the Customer an adequate notice.

5. The obligations of the Customer

1. The Customer undertakes to use the Service in accordance with the instructions provided by Enalyzer at any time, including this Subscription. The Customer shall not attempt to break into the underlying database or any other system resources. Equally, the Service must not be used in any way, which can be said to be detrimental to Enalyzer or any third party, and consequently the Customer must not use the Services for purposes such as spamming.

2. The Customer guarantees Enalyzer that the Customer’s use of the Service is lawful in respect of all applicable legislation in any country where the Service is used, including in compliance with any Marketing Practices Act and any Data Protection Act including the General Data Protection Regulation (GDPR). The Customer is solely liable to respondents and third parties for any claims resulting from the Customer’s use of the Service.

3.. The service is not meant for and must not be used by minors. “Minors” are persons under the age of 13 years (or under such higher age that apply under applicable law in the relevant country to consider a person of legal age).

6. Marketing and service information

Enalyzer may contact Customer, its Users and other employees directly by e-mail for marketing purposes only if they have consented to it. If Customer or its Users have provided Enalyzer with their e-mail in connection with purchase of the Service Enalyzer may also use these e-mails to market similar services. Customer and its Users can always withdraw a consent to direct marketing by e-mail and/or opt out from our marketing communication to you.

Enalyzer may also use Customer’s and its Users’ e-mails to provide information about service and support information such as services updates, new features and other information regarding improvement of Customer’s use of the Service and its functionality and features.

7. Prices and payment

1. All price information is stated on Enalyzer’s website in the indicated currency. Invoicing will include Danish VAT of 25% and other applicable taxes.

2. Enalyzer can adjust the prices on the Service to take effect from a new Subscription Period, with a written notice to the Customer of minimum 30 days prior to the commencement of a new Subscription Period.

8. Intellectual Property Rights

1. The Customer holds all rights to own content and data, including personal data on the Customer’s employees or customers and other respondents and any related analysis. Enalyzer shall have no rights to use Customer’s content or data except for the limited rights that is acquired to provide the Service to the Customer or as otherwise described in the Subscription or Enalyzer’s Privacy Policy.

2. Enalyzer holds all rights in and to the Service and its individual components, including name, logo, other trademarks, programming, databases, catalogues, design, graphics and texts, unless such material originally belongs to the Customer. This also applies to all other material given to the Customer.

3. The Customer shall not, without a written agreement with Enalyzer, use the Service or any other material to which Enalyzer holds the rights. However, the Customer acquires the right of use to graphic elements and text, resulting from analysis carried out on behalf of the Customer.

4. The Customer’s License to the Service and any other material, to which the Customer acquires the right of use or copyright, is conditional upon the Customer’s payment of the remuneration agreed upon.

5. Each party shall indemnify the other party for any loss occurred due to claims from a third party that information, design, specifications, software, data and other entities, delivered by the party in question infringes third party rights.

9. Limitation of liability and damages

1. The parties are liable in damages in accordance with the general rules of Danish law.

2. However, neither party is liable for indirect loss, including loss of data. Thus, Enalyzer is i.e. not liable for any acts carried out on the basis of analysis prepared by way of the Service.

3. Enalyzer’s liability in damages with respect to the Service and the Subscription is limited to the amount paid to Enalyzer by the Customer, regarding the Subscription for a period of 12 months prior to the accrual of the claim. In the event of free Subscription the amount is limited to the lowest applicable price of a paid Subscription for a period of 12 months prior to the accrual of the claim.

10. Force majeure

1. The parties are in no event liable for the performance of their obligations under the Subscription, if the failure to perform is due to force majeure. Force majeure shall mean situations such as strike, lockout, rebellion, acts of war, disease epidemics, natural disasters and fire, outside the parties control and which the parties, when entering into the Subscription, neither could foresee, nor ought to have avoided or overcome.

11. Confidentiality

1. Each party undertakes to keep know-how, business secrets, personal and customer information or other confidential information, confidential.

2. The duty of confidentiality does not apply to information, which was available to the public at the time of disclosure, or if the other party can prove that the party receiving such information was already familiar with the information when receiving it, or if the information in question was otherwise lawfully available to the recipient at this point in time.

3. Each party undertakes, in respect of the other party, to impose a similar duty of confidentiality on employees and sub-suppliers.

12. Breach

1. No refund of prepayments shall take place in case of termination of the Subscription by the Customer.

2. Either party can terminate the Subscription with immediate effect in case of the material breach on the part of the other party, which if capable of remedy has not been remedied within the expiry of a written notice of thirty (30) days from the party in breach. Material breach occurs if: a) the Customer uses the Service contrary to their purpose, b) the Customer unlawfully copies trademarks, software or other items belonging to Enalyzer, c) the Customer’ failure to comply with its obligations provided by clause 5 of the Subscription.

3. In case of termination due to the Customer’s material breach any prepaid amounts are not refunded. In case of termination due to material breach on the part of Enalyzer, or if the subscription is terminated by Enalyzer, any prepayments in respect of the actual Subscription Period will be refunded on a pro rata basis. Beyond this, the Customer is not entitled to any refunds in connection with termination.

4. If the Customer wishes to object to a defect in the Service, this must take place without undue delay and one week at the latest following the occurrence of the defect.

5. Enalyzer cannot be held liable for any defects in the Service to which the Customer has not objected six (6) months at the latest after the Service being delivered to the Customer.

13. Assignment

1. The Customer is not entitled to assign its rights or obligations under the Subscription to any other party.

2. Enalyzer is entitled to assign its rights and obligations under the Subscription to any bona fide third parties.

14. Venue and governing law

1. Any disputes related to this Subscription, or agreements to which these terms of Subscription apply, shall be brought before the courts, with the City Court of Copenhagen as the court of first instance.

2. Danish substantive law shall apply without regard to its principles of conflicts of law.

15. Effective Date and modifications

The Subscription is effective by 25 May 2018.

Enalyzer is entitled to amend the terms of the Subscription with not less than 30 days’ notice. In such case Enalyzer will inform the Customer and also post any changes on Enalyzer’s website.


Data Processing Agreement

ENALYZER DATA PROCESSING AGREEMENT


(for Processing within the EU)

Applicable to the agreement(s) entered into by Enalyzer A/S and the customer regarding use of Enalyzer’s services.

Please be aware, if you are a user of our other Enalyzer products Enalyzer Survey Solution and Enalyzer Relations Panel, the following Data Processing Agreement applies.

BETWEEN:

Customer hereinafter referred to as “Controller”

and

Enalyzer Software A/S, CVR-No. 32443591, having its registered office at Refshalevej 147, 1431 Copenhagen, Denmark, hereinafter referred to as “Processor”

collectively referred to as “Parties” and individually referred to as “Party”

WHEREAS



i. Processor offers various online data processing services including among others a survey and reporting tool to Controller via Processor’s online platform and/or consultancy services as further defined in article 1.8 (“Processor’s Services”) which includes processing of personal data and is in that capacity a processor in a legal sense.

ii. Controller intends to use Processor’s Services. By usage of Processor’s Services, Controller may share Personal Data (as defined under article 1.2) of its Data Subjects with Processor and is in that capacity a controller in a legal sense.

iii. Parties acknowledge and agree that Controller solely determines the means and purposes for the processing of Personal Data by Processor.

iv. The purpose of the Agreement is to ensure the Parties' compliance with Article 28 (3) of the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the GDPR") stipulating specific requirements to the content of a data processing agreement.

v. Parties acknowledge that modification of the Agreement may impair its validity in the light of the aforementioned legislation.

vi. In this Agreement, Parties wish to set out the subject-matter and duration of the processing of Personal Data, the nature, and purpose of the processing, the type of Personal Data and categories of data subjects and the obligations and rights of Parties.

vii. In the event of any discrepancies between this Agreement and any other agreements between the Parties, including the Main Agreement, concerning a matter in relation to the Processing of Personal Data, the terms of this Agreement shall prevail.

THE CONTROLLER AND THE PROCESSOR HAVE AGREED


As follows in order to ensure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals with regard to the processing of Personal Data as specified in Appendix 1:

1. Definitions
1.1. In addition to the definitions used elsewhere in this Agreement, the definitions set out below shall apply and have the meaning set out therein.

1.2. ‘Agreement’ shall mean this data processing agreement including its appendices;

1.3. ‘Personal Data’ shall mean any information in connection with the Service Agreement relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

1.4. ‘Processing’ shall mean any operation or set of operations in connection with the Service Agreement which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

1.5. 'Third Country' shall mean countries outside the EU and European Economic Area (EEA).

1.6. ‘Third Party’ shall mean any natural or legal person, public authority, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the processor, who are authorized to process the Personal Data;

1.7. ‘Personal Data Breach’ shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

1.8. ‘Main Agreement’ shall mean the Agreement between Controller and Processor regarding use of Processor’s Services and/or the Consultancy Agreement between Controller and Processor;

1.9. ‘Processor’s Services’ shall mean (i) the various online data processing services rendered by Processor pursuant to the Main Agreement, including among others provision of a survey and reporting tool and hosting of Controller's data, including Personal Data and/or (ii) consultancy services provided by the Processor according to the Main Agreement, and/or (iii) support and/or education services provided by the Processor from time to time to the Controller;

1.10. ‘EU’ shall mean the European Union including the European Economic Area (EEA).

2. Scope and details of Processing
2.1. The Controller hereby authorizes the Processor to Process the Personal Data on behalf of the Controller on the terms and conditions set out in this Agreement. The Processor shall Process the Personal Data only on documented instructions from the Controller. The Parties agree that this Agreement shall constitute the instructions as of the date of the Agreement. The Processor may – unless otherwise specifically is set out in the Agreement – apply all relevant means, including software, servers, and IT systems.

2.2. The Controller may at any time amend or specify the instructions in accordance with article 11. Notwithstanding the foregoing, article 11 can only be amended according to mutual agreement between the Parties.

2.3. The details of the Processing of Personal Data, and in particular the categories of Data Subjects, types of Personal Data and the purposes for which they are Processed, are specified in Appendix 1, which forms an integral part of the Agreement.

3. Security measures
3.1. The Processor agrees to implement appropriate technical and organizational measures in such a manner that the Processing of the Personal Data will meet the requirements of the GDPR and other applicable national and EU data protection law including the GDPR and ensure the protection of the rights of the Data Subjects.

3.2. The details of the security measures taken by Processor in this respect for the Processing of Personal Data are specified in Appendix 2, which forms an integral part of the Agreement.

3.3. The Parties agree that the technical and organizational measures and level of security set out in Appendix 2 are sufficient to comply with the Processor’s obligations set out in this clause 3 at the time of the conclusion of this Agreement.

3.4. If the Controller after the conclusion of this Agreement based on its own security and risk assessment requests that the Processor shall implement additional security measures or other technical or organizational measures than agreed to in Appendix 2, such request shall be handled in accordance with and is subject to clause 11 of this Agreement.

4. Obligations of the Controller
The Controller agrees:

4.1. To ensure that the Personal Data collected by Controller is done in accordance with the relevant provisions of the GDPR and other applicable EU and national data protection law in the Member State in which the Controller is established (and where applicable has been notified to the relevant authorities of that Member State) and does not violate the relevant provisions of that Member State.

4.2. That Controller shall indemnify Processor for any cost, charge, damages, expenses, administrative fines or loss or damage it has suffered or incurred due to a violation by Controller of the GDPR or applicable EU or national data protection law or this Agreement.

5. General obligations of the Processor
The Processor agrees:

5.1. to process the personal data in accordance with the security measures set out in Appendix 2;

5.2. to process Personal Data only in accordance with the instructions from the Controller, cf. clause 2, including with regard to transfers of Personal Data to a Third Country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;

5.3. where necessary and taking into account the nature of the Processing, to assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation by law to respond to requests for exercising the Data Subjects’ rights laid down in chapter III of the GDPR;

5.4. where necessary and taking into account the nature of the Processing, to assist the Controller in its compliance with an obligation to carry out a data protection impact assessment and prior consulting or supervisory authorities, cf. articles 35 and 36 of the GDPR;

5.5. to provide Controller upon request and within reasonable time the information necessary to demonstrate compliance with the obligations laid down in this clause 5;

5.6. to cooperate (including representatives of Processor), on the Controller’s request, with the supervisory authority in the performance of its tasks;

5.7. to allow for and contribute during normal business hours to reasonably necessary audits including inspections, conducted by an external qualified auditor mandated by the Controller, solely for the purpose of fulfilment of the Controller's obligations laid down in Article 28 of the GDPR and for accurately stipulated research questions in this connection provided that such external qualified auditor is subject to and bound by confidentiality obligations as stipulated in clause 12;

5.8. to once a year make an audit report available on the Processor’s website with information indicating that the Processor complies with the Agreement. The report shall be based on applicable, acknowledged audit standards, e.g. ISAE 3000 or 3402, ISO 27001 or similar;

5.9. to notify Controller in the event of a Personal Data Breach as set out in clause 6;

5.10. To notify Controller in the event that a supervisory authority contacts Processor, insofar as permitted by law.

6. Personal Data breach
6.1. Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach.

6.2. The aforementioned notification shall describe the nature of the Personal Data Breach including where possible: (i) the (estimated) time of the Personal Data Breach; (ii) the likely consequences of the Personal Data Breach; (iii) reasonable measures taken or proposed by the Processor to mitigate the consequences of the Personal Data Breach.

6.3. The Controller shall immediately notify the Processor in writing of any possible unauthorized use of log-in information, passwords, credentials or other security breaches related to the Service Agreement.

7. Records of Processing activities
7.1. The Processor shall maintain, in written and electronic form, records of all categories of Processing activities carried out on behalf of the Controller according to the Main Agreement, containing:

(i) the name and contact details of the Processor and any Sub-processors and where applicable their respective representatives and/or data protection officer;
(ii) name and contact details of the Controller;
(iii) the categories of Processing carried out on behalf of the Controller;
(iv) where applicable, transfers of Personal Data to a Third Country or an international organization, including the identification of that Third Country or international organization, and, in the case of transfer referred to in the 2nd subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
(v) a general description of the technical and organizational security measures as referred to in Appendix 2 and subsequent amendments thereto.

7.2. The Processor shall make the records available to the Controller and the supervisory authority on request.

8. Costs for assistance and audits
8.1. In the event Controller requires assistance of Processor or the Processor’s Sub-processors pursuant to this Agreement (including, but not limited to clauses 5.3, 5.4, 5.5, 5.6, 5.7, clause 6.5 and/or clause 7.2), this assistance is charged under the conditions set out in Appendix 3, which forms an integral part of the Agreement.

8.2. The annual audit report made available on the Processor’s website according to clause 5.8 shall be prepared at the Processor's expense. Any additional audit reporting or additional other similar documentation requested by the Controller shall be prepared and made available according to separate agreement and at the expense of the Controller and is charged under the conditions set out in Appendix 3.

9. Duration of Personal Data storage
9.1. Processor will give Controller access to system functionality in order for the Controller to delete and/or return (i.e. export) any and all of Controller’s data including the Personal Data during the Agreement. Upon expiry of the Agreement, the Processor will delete all of Controller’s data including the Personal Data, unless Union or Member State law requires storage of the Personal Data.

9.2. The process and timeframes for deletion of Controller’s data including the Personal Data are described in Appendix 4, which forms an integral part of the Agreement.

9.3. If Controller requests the Processor’s assistance to delete and/or return (i.e. export) the Controller’s data including the Personal Data during and upon the expiry of the Agreement such assistance shall be rendered by Processor at Controller’s expense and is charged under the conditions set out in Appendix 4.

10. Sub-processing
10.1. The Processor shall not engage a sub-processor for the Processing of the Personal Data on behalf of the Controller ("Sub-processor"), unless this is approved by the Controller by (i) a general or specific authorization according to Appendix 5 to this Agreement or (ii) specific instruction from the Controller.

10.2. In the event that Processor engages Sub-processors for carrying out Processing activities on behalf of the Controller in accordance with Appendix 5, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-processor by way of a contract or other legal act under EU or national Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Agreement.

10.3. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. However, the Controller cannot object to any intended changes concerning the addition or replacement of Sub-processors, if the new Sub-processor provides sufficient guarantees with respect to implementation of appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR as outlined in this Agreement. If the Controller does not object to changes concerning the addition or replacement of Sub-processors within 30 days from the Processor’s notification of the intended changes, such changes shall be deemed to be accepted by the Controller.

10.4. Processor shall remain liable to the Controller for the performance of its Sub-processor's obligations.

10.5. If the Controller requests the Processor to document its Sub-Processor’s compliance with the obligations laid down in Article 28 of the GDPR the Processor shall be entitled to fulfil this obligation by referring Controller to the relevant audit reports or similar documentation made available by the respective Sub-Processors with information indicating that the Sub-Processor in question complies with the GDPR, provided that such audit report(s) or similar documentation shall be based on applicable, acknowledged audit standards, e.g. ISAE 3000 or 3402, ISO 27001 or similar standards. Any additional audit reporting or additional other similar documentation requested by the Controller will be at the Controller’s cost and expenses and is charged under the conditions set out in Appendix 3.

11. Change of instructions
11.1. Prior to any change of the instructions the Parties shall to the widest possible extent discuss in good faith, and if possible agree on, reasonable terms for the implementation of such changes, including the implementation period and the related costs.

11.2. The Processor shall use reasonable endeavours to comply with any legislative changes. However, the Processor shall not be obligated to implement any change of the instructions if the Parties cannot in good faith agree to reasonable terms for the implementation. If the Parties fail to agree in good faith to reasonable terms regarding change of the instructions each Party shall be entitled to terminate this Agreement with a written notice of 60 days, provided that such changes are deemed necessary to comply with the GDPR or other applicable EU or national data protection laws and regulation. The Main Agreement and other agreement between the Parties involving Processing of Personal Data shall automatically terminate at the same time.

11.3. Unless otherwise agreed the following applies:

(i) The Processor shall without undue delay initiate implementation of agreed changes of the instructions and shall ensure that such changes are implemented without undue delay in relation to the nature and extent of the changes.
(ii) The Processor is entitled to payment of all costs directly connected with changes of the instructions, including implementation costs and increases costs for delivery of the Services.
(iii) The Controller must without undue delay be informed of the indicative estimate of the implementation period and the related costs.
(iv) Changes to the instructions are not regarded as being in force until the time when such changes have been implemented provided that the implementation hereof is carried out in accordance with this clause 11.2.
(v) The Processor is exempt from liability for failure to deliver the Services to the extent (incl. in terms of time) that delivery of the Services will be contrary to the changed instructions, or delivery in accordance with the changed instructions is impossible. This may be the case e.g. in the event that (i) the changes cannot be made due to technical, practical or legal reasons, (ii) the Controller explicitly states that the changes are to apply before implementation is possible, or (iii) during the period until the Parties carry through any necessary changes of the Agreement in accordance with the amendment procedures herein.

12. Confidentiality
12.1. Neither Party is permitted to disclose any confidential information. This information includes, but is not limited to Personal Data, documents marked "confidential", information of which the confidential nature must be assumed and information that has not been made publicly available by any Party.

12.2. A Party may only disclose confidential information when obliged by applicable law or unless otherwise agreed upon, signed in writing.

12.3. Processor ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

12.4. The Processor must ensure that the persons performing work for the Processor and who have access to Personal Data, only process such Personal Data as instructed by the Controller, unless processing is required under applicable EU law or national legislation.

13. Liability
13.1. The Processor shall be liable for damages in accordance with the general rules of Danish law subject to the limitations set out in this clause 13.

13.2. The Processor shall not be liable to pay damages for any indirect, consequential or incidental loss or damages including but not limited to loss of goodwill, loss of expected profit and/or loss of operation, arising out of or in connection with the Agreement.

13.3. The Processor shall not be liable for loss or damages if caused by the Controller’s failure to comply with its obligations according to applicable EU or national data protection laws and regulations or this Agreement or in the event of the Controller’s breach of the Main Agreement and/or other agreement between the Parties involving Processing of Personal Data, the Controller’s failure to comply with its obligations towards a supervisory authority or penalties imposed by a supervisory authority due to the Controller’s breach or failure to comply.

13.4. In any case the liability of Processor is limited to the amount that is paid out in that specific case under Processor’s liability insurance policy, and if applicable increased by the deductible.

13.5. If for whatever reason the aforementioned insurance policy does not entitle Processor to any payment, the Processor's liability will in any case be limited to direct damages, with a maximum of three (3) times the sum invoiced to Controller pursuant to the Main Agreement in the foregoing six (6) months after a claim was made, however, not in any event exceeding a maximum of € 10,000, unless the damage has resulted from a willful misconduct or gross negligence on the Processor's part.

13.6. Notwithstanding the foregoing, the limitations of the Processor’s liability set out in this article shall not apply to loss suffered or costs incurred by the Controller due to the Processor’s failure to comply with its obligations towards a supervisory authority or penalties imposed by a supervisory authority due to the Processor’s material breach.

13.7. Any claims by the Controller for compensation of damages will expire one year after the date on which the Controller became aware of or ought to have become aware of said damage.

14. Term and Termination of the Agreement
14.1. The effective date of the Agreement is determined by the effective date of the Main Agreement.

14.2. The termination of the Agreement does not affect provisions relating to confidentiality, and those provisions which by nature are intended to survive the termination.

14.3. This Agreement forms an integral part of the Main Agreement and consequently terminates simultaneously with the termination of the Main Agreement.

14.4. A Party may terminate the Main Agreement in the event of the other Party’s material breach of this Agreement. Where such breach is capable of being remedied, a Party may only terminate the Main Agreement if the breaching Party has not remedied such breach within 30 days after giving written notice of such breach and the consequences of failure to remedy the breach.

15. Governing Law and amendments
15.1. The legal relationship between Controller and Processor is exclusively governed by the laws of Denmark without regard to its principles of conflicts of law. Disputes between parties will, in the first instance, be exclusively resolved by the District Court of Copenhagen, Denmark.

15.2. In the event that Parties agree to amend the Agreement, said amendments shall be attached to the Agreement in an additional Appendix 6. Amendments from the Agreement are only valid if the provisions concerned are explicitly referred to (when applicable) and explicitly derogated from; and only if the appendix is signed and dated by both Parties.

16. Acceptance and execution
16.1. This Agreement is binding on the Processor.

16.2. By Controller’s log-in to its Enalyzer account and access and continued use of the Processor’s Service as of 25 May 2018 the Controller agrees to this Agreement and accepts to be bound by its terms and conditions.

Appendix 1 Details of Processing of Personal Data



This Appendix forms part of the Agreement.
1. Description of the activities by the Processor relevant to the Processing of Controller’s Personal Data:

1.1. Depending on the scope and nature of the Main Agreement, the activities to be performed by the Processor under this Agreement relevant to the Processing of Personal Data may include the following:

1.1.1. Provision of various online data processing services including among others a survey and reporting tool via software solutions and platform made available from enalyzer.com

1.1.2. Hosting of Personal Data.1.1.3. Provision of various consultancy Services

1.1.4. Provision of support and/or education Services.

1.2. As part of the Main Agreement the Controller may also choose to use third party integration services and/or applications made available by the Processor on Enalyzer.com in cooperation with the third party providers of such integration services and applications. If the Controller uses such third party integration services and/or applications it hereby authorises the Processor to:

i) provide, transmit or transfer the data, including Personal Data, of the Controller to the third party provider of the relevant integration service and/or application, provided and only to the extent this is necessary for the performance and use by Controller of the said integration services and/or applications, and

ii) Process data, including Personal Data, of the Controller that are transferred from the third party provider of the relevant integration service and/or application to the Controller’s Services with Processor.

1.3. It is the sole responsibility and liability of the Controller to ensure the necessary basis of lawful Processing for the transfer of the Controller’s Personal Data to and from any third party provider of an integration service and/or application that is used by the Controller via Enalyzer.com and the Processing by any third party provider of the Controller’s Personal Data in this respect.

2. Data Subjects
2.1. The Controller will import Personal Data to the Services for Processing by Processor that may concern any of the following categories of Data Subjects, including but not limited to:

2.1.1. Controller’s employees, board members and officers

2.1.2. Controller’s customers, clients and other business partners

2.1.3. Citizens of Controller

2.1.4. Students, pupils and other users of public and private institutions

2.1.5. Children

2.1.6. Patients and relatives

2.1.7. Private users

2.1.8. Business Users

2.1.9. Members of foundations, unions, associations and/or political originations

3. Categories of data
3.1. The Personal Data Processed may fall within any of the following categories of data.

3.2. Non-sensitive data (cf. GDPR article 6) of any kind including but not limited to contact information such as name, address, phone and/or mobile, gender, age, date of birth, preferences, employment position, family status etc.

3.3. National identification number.

3.4. Sensitive data (cf. GDPR article 9)*.

3.5. Data relating to criminal convictions and offences (cf. GDPR art. 10).

*Sensitive data includes: data revealing racial or ethnic origin, political opinions, religious and/or philosophical beliefs, trade union membership, processing of genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health and/or data concerning a natural person's sex life or sexual orientation.

Please note that for the processing of sensitive data, explicit consent of the Data Subject is required.

Appendix 2 Security of Processing



This Appendix forms part of the Agreement.

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) encryption of personal data when transmitted via public networks and in connection with remote access to Controller’s systems;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal data transmitted, stored or otherwise processed.

3. The Processor hosts the data, including Personal Data, of the Controller via Microsoft Cloud Azure. The online hosting Services are delivered from data centres solely situated within EU, in Ireland and the Netherlands.

4. Microsoft Azure platform provides the security measures as described on www.enalyzer.com.

5. Particular security measures to be taken out by the Processor under this Agreement are specified in detail on www.enalyzer.com (Processor's Security and Privacy Protection Policies).

Appendix 3 Costs for assistance and audits



This Appendix forms part of the Agreement.
1. In the event that Controller requires assistance from the Processor or any of the Processor’s Sub-processors pursuant to this Agreement, such assistance is charged as follows:

1.1. payment for time spend per person, including preparation, at an hourly rate of € 150,- excluding VAT (if applicable), and

1.2. payment of reasonable costs and expenses incurred during the course of providing a task or otherwise as a necessary part of such task or other assistance.

2. All costs and expenses of audits or inspections required and conducted by the Controller or its representatives in respect of the Processor’s or the Processor’s Sub-processors’ compliance with article 28 of the GDPR shall be borne solely by Controller unless otherwise specifically follows from the Agreement.

Appendix 4 Deletion of data



This Appendix forms part of the Agreement.

Data deletion

The Processor operates with different time frames of deletion of the Controller’s data depending on the circumstances. These are described below.

I. The Controller deletes data during the term of the Agreement

During the term of the Agreement the Controller can delete its data in three (3) ways:

1. Delete respondents in a survey project. In this case, the data regarding respondents will be deleted after ten (10) days.
2. Delete a whole survey project. In this case, it will take 90 days before the data are deleted.
3. Delete an organization. In this case, all data regarding the Controller's organization will be deleted after 110 days.

In both 1, 2 and 3, backups of all data are in any case kept by the Processor for thirty (30) days after deletion.

II. Deletion after the termination of the Account

Upon termination of the account, a grace period of twenty (20) days will take effect. The grace period is provided, in case the Controller and Processor mutually agree to re-enter into/continue the Agreement. If not, the deletion process will automatically initiate after the expiry of the grace period. Hereafter Controller’s data will be automatically deleted after ninety (90) days.

Backups of all data are in any case kept by the Processor for thirty (30) days after deletion.

III. Deletion or export of data upon Controller’s request

The Controller may at any time request the Processor’s assistance to perform deletion or export of data subject to separate payment for these services at an hourly rate of 150 Euro.

Upon receipt of such written request the Processor will within a maximum of five (5) working days, immediately delete or export all of Controller’s survey project data and delete Controller’s organization (if any).

Backups of all data are in any case kept by the Processor for thirty (30) days after deletion.

Notwithstanding the expiry of the Agreement the Processor's Processing of the Controller’s Personal Data during the deletion periods stipulated in the above clauses is to be regarded as taking place according to the Controller’s instructions.

Appendix 5: Sub-processors



This Appendix forms part of the Agreement.

I. General Authorization

1. The Controller hereby gives the Processor its prior general written authorization to the Processor to use Sub-processors. A list of the Sub-Processors used by the Processor at the date of the Agreement is made available hereunder:

2. Microsoft Azure

2.1. The Processor has entered into an agreement with Microsoft Corporation whereby Microsoft is a Sub-processor to the Processor acting (on the Controller's behalf) to provide hosting Services via the Microsoft Azure Cloud Platform. All of Controller's data including Personal Data are hosted on the Microsoft Azure Cloud Platform in Ireland and the Netherlands. The Hosting Services do not take place in countries outside EU.

2.2. In the event of Microsoft’s termination of its agreement with the Processor (in whole or in part) regarding the Microsoft Azure Cloud Platform, the Processor shall endeavour to provide a new hosting Service to the Controller within the EU as soon as reasonably possible. The Processor is entitled to terminate the Agreement in whole or in part with a prior notice of sixty (60) days.

3. Other Sub-processors

3.1. If the Controller and the Processor has entered into a Consultancy Agreement as part of the Main Agreement, the Processor may engage Sub-processors for the provision of the consultancy Services to the Controller.

3.2. If the Processor uses one or more Sub-processors for the provision of consultancy services this is regulated in detail in the Main Agreement (Consultancy Agreement). The Processor will notify the Controller in accordance with clause 10.3 of the Agreement if changes in the Sub-processors applied for the provision of the consultancy Services are made.

Get started now

Forever free. No credit card needed.

Free account

Saving changes