This policy was last updated on February 15, 2023.
This Data Processing Agreement entered into between you and Qreatiq Group Inc., (the “Company”, “we”, or “us”) regulates the particularities of data processing in connection with your use of both the platform accessible through the www.qreatiq.com and www.qreatiq.net domain names (the “Site”) and the services we may offer through the Site from time to time, consisting in ‘Qreatiq’ forms and other services (indistinctly referred to as the “Services”). If you are also subject to the CCPA, please check our ‘CCPA Notice’ here to learn which specific provisions apply to you.
Please, note that ‘Data controller’, ‘data processor’, ‘data subject’, ‘personal data’, ‘processing’ will have the meaning set forth in the GDPR or in any other applicable European data protection law. ‘GDPR’ shall be understood as (i) the Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); (iii) any future laws that may amend them or complement them in the future.
For clarification purposes, under this DPA (i) the processing of data regulated hereunder shall take place for as long as there is a service agreement in place between you and we, or until you decide to terminate said agreement; (ii) the nature and purposes of the processing shall be the collection, saving, organization, hosting, and deletion of data, as well as making it available to you upon your request; and (iii) the types of personal data and the categories of data subjects that are likely to be used in our product are name, surname, email address, telephone number, other ID details belonging to employees, candidates, prospects, and clients.
1. Processing of data
We will process any personal data we may have access to because of the provision of the Services in accordance with the documented instructions provided by you from time to time. Should a Union or Member State law to which we are subject requires us to process personal data —including the international transfer of personal data—, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Should we have reasonable grounds to believe that a documented instruction given by you infringes the GDPR or any other applicable EU data protection law or regulation, we will put said instruction on hold and immediately notify you. At your sole risk and without us being responsible or liable to you for any losses, you will be entitled to order us to perform any such instruction despite the concerns raised by us, as long as you reconfirm your instruction in writing.
For purposes of this DPA, it will be understood that a ‘documented instruction’ includes, without limitation, (i) any instruction delivered by you by means of any durable media, such as a letter or email; (ii) any instruction electronically sent by you when using the software provided as part of the Services (i.e. by using the interface part of the software and the features made available through it); or (iii) the provisions of the DPA.
For clarification purposes and given your position of data controller, you warrant and represent that you will timely and sufficiently perform your obligations under the applicable privacy laws, such as inform data subjects (e. g. respondents to the forms, etc.) and obtain their consent (where appropriate). This enumeration is for illustration purposes only, in the sense that you will still be required to satisfy the obligations you are subject under the GDPR, such as making sure, in general, that the processing satisfies the requirements of the GDPR, you have the right and obligation to decide about the purpose and means of said processing, or making sure that there is a legal basis for the processing.
2. Confidentiality duty
We will ensure that all employees authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Sub-processors
You will subscribe to the emailing list available in order to receive notifications for changes in the sub-processor list pursuant to this Section. Said page includes a current list of approved subprocessors for purposes of this Section.
In the event that we intend to replace one subprocessor by other or contract new subprocessors to provide you with the Services, you will be entitled to reasonably oppose (i.e. any challenge based on the potential or actual failure to meet the legal requirements set forth by the GDPR by the subprocessor to be appointed) to such change in the non-extendable term of fifteen (15) calendar days and, if you exercise such right, we will be entitled to early terminate the contractual relationship set forth in for the provision of the Services.
We will enter into written agreements with any sub-processors engaged in the provision of the Services including the safeguards and guarantees required by the GDPR, particularly in respect of implementing the security measures required in the GDPR, and we will be liable for any actions by our sub-processors.
4. Data subjects’ rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, if applicable. For the avoidance of doubt, we will send to you any request data subjects may address directly to us together with all relevant information, if any, so that you can formally contact and answer to data subjects.
5. Security measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as those measures are further detailed in Annex II. Taking into account the nature of processing and the information available to us, we will reasonably assist you in compliance with the security obligations set forth by Article 32 of the GDPR.
6. Assistance and data breaches
In addition to the duty set forth in Section 5 above, we will also provide, subject to the nature of processing and information available to us, assistance in complying with obligations set forth in Articles 32 to 36 of the GDPR, if applicable.
With respect to data breaches, we will notify you without undue delay upon we becoming aware of a personal data breach affecting personal data and, in any event, within the deadlines set forth under the GDPR. We will provide you with sufficient information to allow it to meet any obligations to report or inform competent authorities or data subjects. We will reasonably cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such data breach. For the avoidance of doubt, you will be the only Party responsible for both filing any reports required under applicable law and notifying data subjects, and you will defend, indemnify and hold us harmless of any and all costs (including attorney’s fines), fines or sanctions, or any damages that lack of action on your side may cause.
7. Termination
You will decide whether you want us to delete or return personal data, unless Union or Member State law requires storage of the personal data. To this end, you acknowledge that deletion of the account provided as part of the Services will always result in deletion of personal data, and its request to delete the account will be understood as a request to delete data under this Section 7.
Canceling your paid subscription shall not result in a termination of the Services and, therefore, a termination of this DPA. You will still be able to keep using our Services under a free plan, but some of the functionalities offered to you may not be fully available. This includes the ability to access and download pre-collected responses – for clarification purposes, you will still be able to ask us to download and send you a copy of these responses and we will perform this action as soon as possible and, in any event, within fifteen (15) days.
If you are an inactive free user, as this term is described in the STC, you accept that data is deleted after the 24-month period of time set forth in these STC.
8. Audit rights
We will make available to you the information necessary to demonstrate our compliance with the obligations set forth in this DPA. You agree that the obligation to provide information demonstrating compliance with this DPA may be satisfied by us making available to you copies of the audit reports and/or certifications undergone by us, such as ISO27001 or SOC2 certificates. In the event that these documents do not reasonably address your concerns, you agree that you may only conduct up to one (1) audit per year, unless there are reasonable grounds to believe that we are not performing the obligations laid down in this DPA. Audits will only be carried out during normal business hours, and you will bear all costs unless we are found to be in a material breach of this DPA.
9. International transfer of personal data
In the event that the you are neither subject to the GDPR, nor located in the EEA, nor the transfer can be legally performed in accordance with the GDPR (because such transfer falls under an adequacy decision passed by the European Commission or can be otherwise performed under the GDPR on the basis of BCR, a certification mechanism or under a legally binding instrument), you and us enter into the SCCs, module 4, as a mechanism to ensure the adequate protection of personal data being transferred outside the EEA.
Should you be based in the United Kingdom, the Parties declare that the transfer of data from the United Kingdom to Spain or from Spain to the United Kingdom will not be construed as an international transfer of personal data, considering the adequacy decisions passed on this subject. Annex IV shall apply in respect of any onward transfers.
You authorize to the transfer of data to the sub-processors listed in Section 3 above, it being understood that any such transfer will be performed to the extent that we enter into a written contract with the sub-processors setting forth the obligations to be implemented by the sub-processors in respect of the transfer of data (e.g. SCCs, module 3; or, should you be an entity subject to the UK GDPR, the SCCs amended as specified in Annex IV), and you have the right to oppose any future changes or amendments of the sub-processors by following the same steps mentioned in Section 3 above. Should you exercise any such right, we will be entitled to early terminate the contractual relationship set forth for the provision of the Services. For purposes of the SCCs:
– Clause 7 (Docking Clause) will not apply;
– Option 2 in Clause 9 (general written authorization) is chosen. Option 2 will be construed in the light of the provisions of this DPA;
– Clause 11 (Optional Language) will not apply; and
– In Clause 13, 17 and 18, Spanish law shall be the applicable law, and the competent courts and authorities of the Kingdom of Spain shall be the ones competent to solve any disputes connected with the SCCs.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): Qreatiq Group, Inc., a United State of America entity with registered address at 38 Greene St, New York, NY 10013, United States, and IRS EIN. (Taxpayer ID) 80-0861733. The Company is registered in the Commercial Registry of the United States of America. QREATIQ’s Data Protection Officer can be contacted at: [email protected], or in the postal address mentioned at the STC.
Data importer(s): You, as identified when creating an account with QREATIQ.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred – Any kind of data subject categories..
Categories of personal data transferred – Any kind of personal data categories.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures – sensitive information may be processed, and subject to the security measures described in Annex II.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) – Continuous basis.
Nature of the processing – data collection, saving, organization, hosting, deletion. Making the data available to the data exporter following its requirements / petitions.
Purpose(s) of the data transfer and further processing –Provision of customer service services, as further detailed in the STC.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: data will be retained for as long as the data exporter requires the services.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing – same as above.
C. COMPETENT SUPERVISORY AUTHORITY –the Spanish Data Protection Agency.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Information Security Program (“ISP”)
QREATIQ will maintain an ISP designed to (i) help secure personal data against accidental or unlawful loss, access or disclosure; (ii) identify reasonably foreseeable and internal risks to security and unauthorized access; and (iii) minimize security risks, including through risk assessment and regular testing. The ISP will include the following measures:
Network Security
QREATIQ will maintain access and transmission controls and policies to manage access to the network, including the use of authentication controls, firewalls or intrusion detection systems to ensure that only the authorized individual have access to the systems and data is transmitted without compromise to the correct recipients. QREATIQ will maintain security incident response plans to handle potential security incidents.
Physical Security
Physical components are housed in facilities (“Facilities”) controlled by an ISO 27001 certified company (i.e. Amazon Web Services) or in Facilities which meet or exceed all of the following physical security requirements.
Physical Access Controls and Limited Access. Access to the Facilities is granted to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked.
Personal Data Security. Controls for the Protection of Personal Data.
Taken care in the control “Privacy by design & by default”. QREATIQ will maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, personal data), confidentiality and integrity of personal data appropriate to the risk, including inter alia as appropriate: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and (v) the principles of privacy by design and by default to ensure that processes and systems are designed such that the collection and processing if data are limited to what is necessary for the identified purpose. Such principles comprises for personal data the limit of collection, processing, accuracy and quality, minimization of objectives, de-identification, deletion & disposal at the end of processing, proper management of temporary files, retention periods & processing transmission controls. QREATIQ regularly monitors compliance with these measures, and will not materially decrease the overall security of the data processing services.
Temporary files: Temporary files training & awareness will be included in QREATIQ training & awareness program for employees.
Business Continuity and Disaster Recovery
QREATIQ will maintain a business continuity and disaster recovery plan based on risk. Recovery plan are tested at least annually.
Employee security
QREATIQ will have signed confidentiality agreements with the employees and contractors. Also, all employees and contractors will have a common way to report incidents approved by the organization and they will undergo at least an annual security awareness training.
Ongoing Evaluation
QREATIQ must reassess and update their security policies on a periodic basis. Changes must be documented.
ANNEX III
LIST OF SUB-PROCESSORS
For QREATIQ
QREATIQ shall be entitled to seek the assistance of its affiliates QREATIQ DIGITAL LLC, conducting business in the SG and having registered address at 31B Exeter Road, Comcentre Tower, #14-01/02, One Raffles Quay. CBD Singapore, 239732, SG (Singapore); QREATIQ UK Limited, a company incorporated in England and Wales with registered office at 9th Floor, 107 Cheapside, London, EC2V 6DN (United Kingdom); and QREATIQ DE GmbH, a company incorporated in Germany with registered office at EdisonStr. 63 – 12459 Berlin (Germany). These companies are providing engineering, marketing & sales and customer success support services. Additionally, QREATIQ shall be entitled to engage Amazon Web Services Inc., a US entity with registered address at 2021 Seventh Ave., Seattle — Washington 98121 (United States of America) for the provision of hosting services; Cloudflare Inc., a US entity with registered address at 101 Townsend St., San Francisco — California 94107 (USA) for security & fraud prevention; Google Inc., a US entity with registered address at 1600 Amphitheatre Parkway Mountain View — California 94043 (USA), for supporting the processing of tickets raised by respondents; and Zendesk Inc., a US company with registered address at 1019 Market Street San Francisco, — California 94103 (USA), for the processing of customer success tickets.
ANNEX IV
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1 Parties
Start date: As specified in the STCs
The Parties:
Exporter (who sends the Restricted Transfer)
Full legal name: QREATIQ Group Inc.,
Trading name (if different): N/A
Main address (if a company registered address): As specified in the STCs
Registration number (if any) (company number or similar identifier): As specified in the STCs
Key Contact
Full Name (optional): N/A
Job Title: N/A
Contact details including email: [email protected]
Importer (who receives the Restricted Transfer)
Full legal name: as identified when creating an account with us
Trading name (if different): As identified when creating an account with us
Main address (if a company registered address): As identified when creating an account with us
Official registration number (if any) (company number or similar identifier): As identified when creating an account with us
Key Contact
Full Name (optional): N/A
Job Title: N/A
Contact details including email: As identified when creating an account with us
Signature (if required for the purposes of Section 2)
Table 2: Selected SCCs, Modules and Selected Clauses
As stipulated in Section 9 of the DPA.
Table 3: Appendix Information
Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the EU SCCs (other than the Parties), and which is set out in the DPA.
Table 4:
Neither party may end this Addendum when the approved Addendum changes.
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
5. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms will have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Section ‘Table 2’, including the ‘Appendix Information.
Appendix Information: As set out in Table 3.
Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO: The Information Commissioner.
Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
UK: The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR: As defined in Section 3 of the Data Protection Act 2018.
7. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
8. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
9. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
10. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
11. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
12. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
13. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
14. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
15. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
16. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
17. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
18. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subSection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses will be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
19. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
20. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
21. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
22. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
23. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a its direct costs of performing its obligations under the Addendum; and/or
b its risk under the Addendum,
24. and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
25. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.