Data Processing Addendum
The finest print around.
Data Processing Addendum (DPA)
Effective Date: March 30, 2026
1. Purpose and Scope
This Data Processing Addendum (“Addendum”) forms part of the principal services agreement (“Principal Agreement”) between Controller and Processor and sets out the obligations of the parties with respect to the processing of personal data as required by Article 28 GDPR and related legislation.
All capitalised terms not defined herein have the meaning given in the Principal Agreement or in the GDPR.
2. Subject Matter, Duration, Nature, and Purpose
- Subject Matter: Processing of personal data to enable survey creation, display, response collection, analytics, and related customer-experience functions provided by Zigpoll.
- Duration: For the term of the Principal Agreement and until deletion or return of data pursuant to § 12.
- Nature and Purpose: Collection, storage, analysis, export, and reporting of survey responses and associated metadata (including contact details, online identifiers, transaction references, timestamps, and engagement metrics) for purposes of feedback, marketing analysis, and customer-experience optimisation.
- Categories of Data Subjects: End-users, customers, and website visitors of Controller.
- Categories of Personal Data: Order-related metadata, usage data, device or browser identifiers, and survey responses.
- Special Categories of Data: None intentionally processed.
3. Processing on Documented Instructions
- Processor shall process personal data only on documented instructions from Controller.
- Persons authorised to issue and receive such instructions are identified in Schedule B.
- Oral instructions must be confirmed in writing (email suffices) within 24 hours and archived by both parties.
- Processor shall immediately inform Controller if, in its opinion, an instruction infringes applicable data-protection law.
- Processor shall notify Controller without undue delay if it becomes subject to any legal obligation that would require it to process personal data outside of or contrary to Controller's documented instructions, unless the law in question prohibits such notification on important grounds of public interest (Art. 28(3)(a) GDPR).
4. Confidentiality
Processor shall ensure that all authorised personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy. Written records of such undertakings shall be retained and made available to Controller upon request.
5. Technical and Organisational Measures (TOMs)
Processor shall implement the technical and organisational measures described in Schedule C, ensuring a level of security appropriate to the risk as required by Article 32 GDPR. Processor shall provide evidence of implementation upon reasonable request or audit.
6. Sub-Processing
- Controller grants Processor a general authorisation to engage sub-processors for the performance of the Services.
- The current list of sub-processors is attached in Schedule A.
- Processor shall notify Controller in writing at least 30 days before adding or replacing any sub-processor. Controller may object on reasonable data-protection grounds within 14 days.
- Processor shall ensure each sub-processor is bound by equivalent obligations and safeguards.
7. Data Subject Rights
Processor shall assist Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to data-subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).
8. Assistance Obligations (Art. 28(3)(f) GDPR)
Taking into account the nature of the processing and the information available to Processor, Processor shall assist Controller in ensuring compliance with the following obligations:
- Security of processing (Article 32 GDPR);
- Notification of personal data breaches to the supervisory authority (Article 33 GDPR);
- Communication of personal data breaches to data subjects (Article 34 GDPR);
- Data protection impact assessments (Article 35 GDPR), including by providing information necessary for Controller to conduct and, where required, update such assessments; and
- Prior consultation with the supervisory authority (Article 36 GDPR).
Processor shall respond to reasonable assistance requests without undue delay and may charge a reasonable fee for assistance that is manifestly excessive or unfounded.
9. International Data Transfers
- Personal data processed under this Addendum may be transferred to, stored, or processed in the United States and other countries where Processor's sub-processors operate.
-
For transfers of personal data from the European
Economic Area (EEA), United Kingdom, or Switzerland
to countries that have not received an adequacy
decision from the European Commission, Processor
shall ensure that appropriate safeguards are in place
in accordance with Article 46 GDPR, including:
- The European Commission's Standard Contractual Clauses (SCCs) as adopted under Implementing Decision (EU) 2021/914, Module Two (controller-to-processor) and, where applicable, Module Three (processor-to-processor), which are hereby incorporated by reference into this Addendum; and/or
- Certification of the data importer under an approved framework such as the EU-US Data Privacy Framework, where applicable.
- The applicable transfer mechanism for each sub-processor is identified in Schedule A. Where SCCs apply, Processor shall ensure that a Transfer Impact Assessment (TIA) has been conducted and that supplementary measures are implemented where necessary to ensure an essentially equivalent level of protection.
- Processor shall promptly inform Controller of any changes in legislation or circumstances that materially affect the lawfulness or adequacy of the transfer safeguards relied upon.
- Upon request, Processor shall make available copies of the executed SCCs and relevant TIA documentation.
10. Personal Data Breach Notification
In the event of a personal data breach, Processor shall without undue delay and, where feasible, not later than 48 hours after becoming aware, notify Controller.
The notice shall include:
- contact details of a data-protection contact point;
- description of the nature of the breach (categories and approximate number of data subjects and records concerned);
- likely consequences; and
- measures taken or proposed to remedy or mitigate the breach.
If all information cannot be provided simultaneously, the Processor shall supply it incrementally without undue delay.
11. Audit and Compliance
- Processor shall make available to Controller all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including on-site inspections, by Controller or a qualified independent auditor mandated by Controller.
- Controller may conduct one routine audit per calendar year with at least 30 days’ prior written notice. Additional audits may be conducted following a substantiated data-protection incident or a reasonable suspicion of non-compliance, with notice reduced to a reasonable minimum under the circumstances.
- Audits may be performed remotely or on-site at Controller’s discretion. Processor shall provide reasonable co-operation, access to relevant systems, and personnel, and any documentation necessary for the audit. Processor operates without dedicated office premises. Where physical inspection is requested, it shall be conducted at Processor’s infrastructure sub-processor facilities (subject to that sub-processor’s audit policies) or, where physical inspection is not applicable, through supervised remote access sessions providing equivalent visibility into systems, configurations, and documentation.
- Where Processor engages an independent third-party auditor to produce a compliance report (e.g., SOC 2 Type II), Processor may offer such report to satisfy Controller’s audit right, provided Controller retains the right to conduct its own audit if the report does not adequately address its concerns.
12. Return and Deletion of Data
Upon termination of the Services, Processor shall, at Controller’s choice, delete or return all personal data and delete all existing copies within 10 business days, unless Union or Member State law requires retention.
13. Liability and Governing Law
This Addendum is governed by the laws of the State of New York, USA, except to the extent mandatory provisions of EU data-protection law prevail. Liability provisions of the Principal Agreement apply equally to this Addendum.
14. Notices
All notices and communications under this Addendum must be in writing (email suffices) and addressed to the contacts listed in Schedule B.
Schedules
Schedule A – Approved Sub-Processors
| Sub-Processor | Purpose | Location | Safeguard Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting & Storage | US | SCCs + EU-US DPF |
| MongoDB Atlas | Database Services | US | SCCs |
| Redis Labs | Database Services | US | SCCs |
| Cloudflare Inc. | CDN & Security | EU / US | SCCs + EU-US DPF |
| Twilio SendGrid | Transactional Email | US | SCCs |
| Sentry Inc. | Error Monitoring | EU / US | SCCs + EU-US DPF |
| Google LLC (Analytics) | Analytics / Reporting | EU / US | SCCs + EU-US DPF |
| OpenAI | AI Infrastructure | US | SCCs |
Schedule B – Authorised Representatives & Instruction Contacts
| Party | Name / Role | Function | |
|---|---|---|---|
| Processor | Jason Zigelbaum – CEO (Zigpoll) | [email protected] | Receives instructions |
| Alternate | Support Lead (Zigpoll) | [email protected] | Backup contact |
Schedule C – Technical and Organisational Measures
The following measures are implemented in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk of the processing.
C.1 Access Control – Authentication & Authorisation
| Measure | Detail |
|---|---|
| Multi-factor authentication (MFA) | Required for all employees accessing production systems, administrative consoles, and source-code repositories. |
| Role-based access control (RBAC) | Access to personal data is granted on a need-to-know basis. Roles are defined per function (engineering, support, management) with least-privilege principles enforced. |
| Periodic access reviews | Access rights are reviewed quarterly. Accounts of departing employees are revoked within 24 hours of separation. |
| Production/non-production segregation | Development and staging environments are logically separated from production. Production data is not used in development or testing. |
C.2 Encryption
| Measure | Detail |
|---|---|
| Encryption in transit | All data transmitted between clients, servers, and sub-processors is encrypted using TLS 1.2 or higher (TLS 1.3 preferred). HSTS is enforced on all public endpoints. |
| Encryption at rest | All databases and storage volumes are encrypted with AES-256 using provider-managed keys (AWS KMS, MongoDB Atlas encryption). |
| Key management | Encryption keys are managed through AWS Key Management Service (KMS) with automatic annual rotation. Access to key management is restricted to authorised personnel. |
C.3 Network Security
| Measure | Detail |
|---|---|
| Firewall & network segmentation | Cloud infrastructure uses security groups and network ACLs to restrict traffic. Only required ports and protocols are permitted. |
| DDoS protection | Cloudflare is deployed in front of all public-facing services, providing WAF, rate-limiting, and DDoS mitigation. |
| Intrusion detection | AWS GuardDuty and Cloudflare security analytics are enabled for continuous monitoring of suspicious activity. |
C.4 Data Minimisation & Pseudonymisation
| Measure | Detail |
|---|---|
| Data minimisation | Only personal data strictly necessary for the provision of survey and analytics services is collected. No special category data (Article 9 GDPR) is intentionally processed. |
| Pseudonymisation | Where feasible, survey responses are stored with pseudonymous identifiers. Direct identifiers are separated from response data in storage. |
| Retention limits | Personal data is retained only for the duration of the service agreement. Upon termination, data is deleted within 10 business days per § 12. |
C.5 Integrity & Availability
| Measure | Detail |
|---|---|
| Automated backups | Databases are backed up nightly with point-in-time recovery enabled. Backups are encrypted and retained for 7 days. |
| Restore testing | Backup restoration is tested periodically to verify recoverability and data integrity. |
| Redundancy | Application services run across multiple availability zones to ensure high availability and fault tolerance. |
| Uptime monitoring | Continuous uptime and performance monitoring with automated alerting for service degradation or outages. |
C.6 Vulnerability Management
| Measure | Detail |
|---|---|
| Patch management | Security patches for operating systems, frameworks, and dependencies are applied on a monthly cycle. Critical vulnerabilities are patched within 72 hours of disclosure. |
| Dependency scanning | Automated dependency vulnerability scanning is integrated into the CI/CD pipeline. Builds with known critical vulnerabilities are blocked. |
| Penetration testing | Independent penetration testing is conducted annually. Findings are remediated on a risk-prioritised basis. |
C.7 Logging & Monitoring
| Measure | Detail |
|---|---|
| Audit logging | Access to personal data, administrative actions, and authentication events are logged. Logs are retained for a minimum of 90 days. |
| Error & exception monitoring | Application errors are tracked via Sentry with real-time alerting for anomalies affecting data processing. |
| Log integrity | Logs are stored in append-only storage and are not modifiable by application-level processes. |
C.8 Physical Security
| Measure | Detail |
|---|---|
| Data centre security | All infrastructure is hosted on Amazon Web Services (AWS). AWS data centres maintain SOC 2 Type II, ISO 27001, and other certifications covering physical access controls, surveillance, and environmental safeguards. |
| Endpoint security | Employee devices with access to production systems use full-disk encryption and are protected with up-to-date endpoint security software. |
C.9 Incident Response
| Measure | Detail |
|---|---|
| Incident response plan | A documented incident response playbook is maintained covering identification, containment, eradication, recovery, and post-incident review. |
| Breach notification | Controller is notified within 48 hours of a confirmed personal data breach per § 10 of this Addendum. |
| Designated security contact | A designated security officer is responsible for coordinating incident response and communication. |
C.10 Employee Measures
| Measure | Detail |
|---|---|
| Confidentiality obligations | All employees and contractors with access to personal data are bound by written confidentiality agreements per § 4 of this Addendum. |
| Security training | Employees receive data-protection and security-awareness training upon onboarding and annually thereafter. |
