Data Processing Agreement
Online DPA for demo and self-service contracts for the use of the uxspire platform.
Notice on incorporation: This agreement becomes part of the respective main contract when the customer electronically accepts it in the registration, onboarding, checkout or customer-account process. The customer is identified by the company and contact details stored in the account, organisation, checkout, invoice or other contract-formation process.
Parties and contract formation
This data processing agreement pursuant to Art. 28 GDPR is entered into between the customer as controller and uxspire GmbH, Stixchesstr. 107, 51377 Leverkusen, Germany, as processor.
The customer is the natural or legal person stated as contracting party in the registration, organisation, checkout, invoice or other contract-formation process. If a user accepts this agreement for an organisation, that user confirms that they are authorised to make the declaration on behalf of the customer.
This agreement applies to demo and self-service contracts insofar as uxspire processes personal data on behalf of the customer. For enterprise contracts or individual offers, a separately signed or individually incorporated DPA may apply; such DPA takes precedence over this online DPA insofar as it regulates the same subject matter differently.
Subject matter and duration of processing
This agreement specifies the data protection obligations of the parties for services in which uxspire processes personal data on behalf of the customer. It forms part of the respective main contract for the use of the uxspire platform.
The subject matter of processing is the provision and operation of the uxspire platform for voice-of-customer functions, in-product surveys, audience studies, NPS, CSAT and UEQ surveys, analyses, exports and related support services. Heatmaps, session recordings and funnel analyses are not part of the current standard service and apply only if they are later expressly contractually agreed and productively activated.
The duration of processing follows the main contract. This agreement applies for the duration of platform use and ends when uxspire no longer processes personal data of the customer and deletion or return under this agreement has been completed.
Responsibility and instructions
The customer remains the controller within the meaning of the GDPR. The customer determines the purposes and means of the collection, transfer and processing of personal data initiated by it and remains responsible for legal bases, information duties, consents, objection options and the lawfulness of its configurations.
uxspire processes personal data solely on documented instructions from the customer. The initial instructions result from the main contract, the product configuration by the customer and this agreement.
Instructions may be issued in text form, via administrative settings of the platform or through agreed support and communication channels. If uxspire considers that an instruction infringes data protection law, uxspire will inform the customer without undue delay and is entitled to suspend execution of the affected instruction until it is confirmed, changed or withdrawn.
Scope of processing and customer content
uxspire processes personal data only insofar as this is necessary for operation, security, billing, support, maintenance, error analysis, abuse prevention, product configuration and analysis of the contractually agreed platform functions.
The customer decides independently which domains, digital products, projects, surveys, studies, questions, answer options, free-text fields, widgets, snippet integrations, URL patterns, selectors, integrations, exports and analysis functions are used and which personal data are processed as a result.
The customer is solely responsible for the content of surveys, studies, questions, answer options and free-text fields as well as for the admission, analysis and interpretation of the collected data. uxspire does not pre-review content created by the customer for lawfulness, admissibility or suitability.
Interpretation or derivation of recommendations for action by uxspire is not part of the standard service. The platform provides configuration-dependent analyses, clusters, metrics, dashboards and exports; professional decisions are made by the customer.
Confidentiality
uxspire ensures that persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory confidentiality obligation.
Persons with access to personal data are made familiar with the data protection and security requirements relevant to them. The confidentiality obligation continues after the end of the activity.
Technical and organisational measures
uxspire implements appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. The essential measures are documented in this agreement and the service description.
- Access restriction through role-based permissions, authentication and organisational access control.
- Transport encryption, secure cloud infrastructure, separation of tenant and project contexts and technical access restrictions.
- Logging of security-relevant processes, monitoring, backup and recovery processes in accordance with the infrastructure used.
- Data minimisation, configurable privacy signals, deletion and export functions as well as restriction of planned sensitive modules to expressly activated service components.
- Internal processes for permission reviews, security incidents, service provider management and regular review of the TOMs.
The measures are subject to technical progress and further development of the platform. uxspire may use alternative or further developed measures provided that the contractually agreed protection level is not reduced.
Customer support
uxspire supports the customer in accordance with the main contract and taking into account the nature, scope and purpose of processing in fulfilling data protection obligations.
This includes, in particular, support with requests from data subjects, data protection impact assessments, prior consultations, security measures, accountability obligations and notifications under Art. 33 and 34 GDPR, insofar as uxspire has relevant information available.
If a data subject contacts uxspire directly, uxspire forwards the request to the customer, provided that allocation is possible. uxspire does not answer such requests independently unless instructed to do so or legally required.
Notification of data protection incidents
uxspire informs the customer without undue delay after uxspire has become aware of a personal data breach affecting customer data.
The notification contains, insofar as available, a description of the incident, the affected data and persons, the likely consequences and the measures taken or proposed to contain and remedy it.
uxspire takes appropriate measures to secure the data and mitigate possible adverse consequences and coordinates further measures with the customer.
Sub-processors
The customer grants uxspire general authorisation to engage sub-processors for the services described in this agreement.
uxspire contractually binds sub-processors to data protection obligations that are substantially equivalent to the obligations under this agreement. uxspire remains responsible to the customer for fulfilment of the data protection obligations of the sub-processors.
uxspire informs the customer at least 30 days before the planned use of new or replacement sub-processors, unless urgent legal, security-related or operational reasons require a shorter period. The customer may object within this period for important data protection reasons. In the event of a justified objection, the parties will coordinate on a reasonable solution; if the objection remains, the termination rules of the main contract apply to the affected service component.
Third-country transfers
Personal data are generally processed within the European Union or the European Economic Area unless this agreement or the current sub-processor list states otherwise.
A transfer of personal data to a third country or an international organisation takes place only if the requirements of Art. 44 et seq. GDPR are met, in particular through an adequacy decision, EU standard contractual clauses, supplementary safeguards or another permissible safeguard.
Audit and evidence options
uxspire provides the customer with all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR that is required and available to uxspire.
The customer may carry out audits after reasonable prior notice or have them carried out by independent auditors. Audits must be designed so that uxspire's operations, security and confidentiality as well as the rights of other customers are not impaired.
Where equivalent evidence such as audit reports, certificates, security documentation or written information is sufficient, this should be used as a priority.
Return and deletion
After the end of the services or upon documented instruction from the customer, uxspire deletes personal data of the customer or makes them available to the customer in an available export format, if and insofar as this is technically possible and contractually provided.
Statutory retention obligations, evidence purposes, security logs and routine backups remain unaffected. Data in backups are not actively used, are protected against access and are deleted or overwritten after expiry of the backup cycles.
Processing annexes
Nature, purpose and scope
Processing includes collecting, recording, storing, organising, structuring, analysing, aggregating, visualising, providing, exporting, deleting and logging personal data within the uxspire platform. The purposes are UX research, user feedback, in-product surveys, VoC metrics, audience studies, persona clusters, dashboards, exports, support, security and platform operation.
Types of data
- Account, organisation, workspace, project and role information of the customer's users.
- Contact and communication data of admins, editors, viewers and contact persons.
- Usage, event and technical metadata such as pseudonymous profile and session IDs, timestamps, URL or path, referrer host/path, origin, client IP, Accept-Language, device type, viewport, browser/user agent as well as pageview, survey, widget and interaction events.
- Survey, VoC and study data such as answers, ratings, optional free text, NPS, CSAT and UEQ results, audience studies, setcard information, segment and cluster assignments, timestamps, pseudonymous event/session references, dashboards and exports.
- Technical data such as client keys, project configurations, widget and theme settings, URL patterns, selectors, consent/privacy status, logs and security events.
- DOM snapshots, heatmap, session-recording and funnel data only insofar as these functions are expressly contractually agreed, productively activated and not technically excluded in the future.
Categories of data subjects
- Users, visitors, customers, prospects or participants of the customer's websites, apps, shops, products or surveys.
- Employees and representatives of the customer who administer or analyse uxspire.
- Other persons whose data the customer collects or processes via the platform.
Special categories of data
Processing special categories of personal data under Art. 9 GDPR is not part of the standard service. The customer may collect, permit in free-text fields or analyse such data as well as data relating to criminal convictions or offences, data of minors, health data, HR or applicant data, financial or insurance data or data for discriminatory profiling, scoring or decisions with legal or similarly significant effect only if a separate express agreement, a valid legal basis and appropriate safeguards exist.
Essential service providers
| Service provider | Purpose | Data categories | Location / safeguards |
|---|---|---|---|
| Microsoft Ireland Operations Ltd. / Microsoft Azure and affiliated Microsoft services | Hosting of the SaaS application, database, authentication, key management, logging, monitoring and email infrastructure insofar as productively used. | Account, contract, workspace, project, usage, survey, VoC, audience-study, response, cluster-assignment, telemetry and configuration data. | EU/EEA or according to the current cloud configuration; safeguards under Chapter V GDPR where required. |
| Cloudflare, Inc. / Cloudflare R2 and CDN | Storage and delivery of survey assets, CDN, security and performance functions as well as, where applicable, consent evidence. | Asset files, technical access data, IP/request/security logs, consent ID/status, timestamp, language, path, referrer, browser and device information. | R2 with EU jurisdiction, otherwise according to the current Cloudflare configuration; safeguards under Chapter V GDPR where required. |
| Stripe Payments Europe, Ltd. / Stripe group | Payment and billing processes for customer accounts insofar as part of the booked service. | Account, contract, payment and billing data; generally no end-user feedback data. | EU/EEA and, where applicable, third-country transfer according to Stripe documentation and appropriate safeguards. Depending on the processing, independent controller and/or processor. |
The current public overview of essential service providers and sub-processors is also available in the Privacy Policy. The notification and objection rules of this agreement apply to legally binding changes.
Final provisions
In the event of contradictions between this agreement and the main contract, the data protection provisions of this agreement take precedence insofar as the contradiction concerns data processing on behalf.
Changes and additions to this agreement require text form or renewed electronic incorporation unless a stricter form is required by law. Changes will be communicated to the customer in an appropriate form.
German law applies. The contract language is German. Translations are provided for information; the German version is authoritative. The place of jurisdiction, insofar as legally permissible, is Cologne.
Contact
uxspire GmbH · Stixchesstr. 107, 51377 Leverkusen, Germany · Email: