Data processing agreement

2.1 Controller and Processor Relationship

Customer is the Controller of Customer Data and determines the purposes and means of processing. MeaningfulCX is the Processor and processes Customer Data only on behalf of and in accordance with Customer's documented instructions.

2.2 Details of Processing

• Subject matter: The provision of the Services as described in the Agreement.
• Duration: The term of the Agreement.
• Nature and purpose: Processing necessary to provide the qualitative research platform, including AI-moderated interviews, data synthesis, and analysis services.
• Type of Personal Data: Customer Data may include:
  • Interview responses and conversation transcripts
  • Geographic location data (country, region)
  • Any other data Customer chooses to collect through the Services
• Categories of Data Subjects: Interview Respondents participating in Customer's research projects.

2.3 Customer Instructions

MeaningfulCX will process Customer Data only in accordance with Customer's documented instructions, which include:

• This DPA and the Agreement
• Customer's use and configuration of the Services (including project setup, data collection settings, and analysis parameters)
• Additional written instructions provided by Customer that are agreed to by MeaningfulCX in writing

2.4 Compliance with Instructions

If MeaningfulCX believes that any instruction from Customer violates Applicable Data Protection Law, MeaningfulCX will inform Customer without undue delay. Customer may withdraw or modify such instruction. If Customer does not withdraw or modify the instruction, MeaningfulCX may suspend processing until the instruction is withdrawn or modified.

3.1 Customer represents and warrants that:

• It has obtained all necessary consents and provided all required notices to Data Subjects for the collection and processing of Customer Data through the Services
• Its instructions to MeaningfulCX comply with Applicable Data Protection Law
• It has the legal right to transfer Customer Data to MeaningfulCX for processing

3.2 Customer is solely responsible for:

• The accuracy, quality, and legality of Customer Data
• Determining the lawful basis for processing under Applicable Data Protection Law
• Providing privacy notices to Data Subjects
• Responding to Data Subject requests (with assistance from MeaningfulCX as described in Section 7)
• Determining appropriate data retention periods for Customer Data

4.1 General Authorization

Customer provides general authorization for MeaningfulCX to engage Sub-processors to process Customer Data, subject to the requirements of this Section 4.

4.2 Current Sub-processors

MeaningfulCX currently uses the following Sub-processors:

The current list of Sub-processors is available at: https://www.meaningful.app/subprocessors or upon request to contact@meaningful.app.

4.3 New Sub-processors

MeaningfulCX will provide Customer with at least 30 days' prior written notice before engaging any new Sub-processor or making material changes to existing Sub-processors. Notice will be provided via:

• Email to Customer's registered account email address
• Update to the Sub-processor list with notification in the Services

4.4 Objection to Sub-processors

Customer may object to a new Sub-processor on reasonable data protection grounds by notifying MeaningfulCX in writing within 30 days of receiving notice. If Customer objects, the parties will work together in good faith to find a commercially reasonable solution. If no solution can be found, Customer may terminate the affected Services without penalty.

4.5 Sub-processor Obligations

MeaningfulCX will:

• Enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this DPA
• Remain fully liable to Customer for the performance of any Sub-processor

5.1 Technical and Organizational Measures

MeaningfulCX has implemented and will maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex 1: Security Measures.

5.2 Security Standards

MeaningfulCX's security measures include:

• End-to-end encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Role-based access control (RBAC) with principle of least privilege
• Regular security assessments and penetration testing
• Incident response and business continuity procedures
• Employee security training and background checks where legally permitted

5.3 Certifications

MeaningfulCX is pursuing the following certifications:

• ISO 27001 (Information Security Management) - In progress
• SOC 2 Type II (Security, Availability, Confidentiality) - In progress

Upon completion, MeaningfulCX will make certification documentation available to Customer under appropriate confidentiality terms.

5.4 Customer Security Responsibilities

Customer is responsible for:

• Properly configuring and using security features provided by the Services
• Managing access credentials and user permissions
• Implementing appropriate security measures for data under Customer's control

6.1 Data Storage Location

Customer Data is processed and stored exclusively within the European Union:

• Amazon Web Services: eu-central-1 (Frankfurt, Germany)
• Microsoft Azure: Sweden region

6.2 No Data Transfers Outside EU

MeaningfulCX will not transfer Customer Data outside the European Economic Area (EEA) without Customer's prior written consent, except:

• Where necessary to comply with legal obligations
• Where Customer explicitly instructs such transfer through their use of the Services

6.3 Standard Contractual Clauses

To the extent any Sub-processor processes Customer Data outside the EEA, MeaningfulCX will ensure appropriate safeguards are in place, including the EU Standard Contractual Clauses or other legally recognized transfer mechanisms.

6.4 Government and Legal Requests

If MeaningfulCX receives a legally binding request from a government authority or law enforcement for disclosure of Customer Data, MeaningfulCX will:

• Attempt to redirect the requesting party to Customer
• Notify Customer of the request unless legally prohibited
• Challenge overly broad or unlawful requests where reasonable
• Disclose only the minimum data required to comply

7.1 Assistance with Data Subject Requests

MeaningfulCX will, taking into account the nature of the processing, assist Customer in fulfilling Customer's obligations to respond to Data Subject requests under Applicable Data Protection Law, including requests for:

• Access to Personal Data
• Rectification of inaccurate Personal Data
• Erasure of Personal Data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

7.2 Self-Service Tools

The Services provide Customer with self-service tools to:

• Access and export Customer Data
• Delete Customer Data and projects
• Modify data collection settings

Customer is responsible for using these tools to respond to Data Subject requests.

7.3 Forwarding Data Subject Requests

If MeaningfulCX receives a Data Subject request directly, MeaningfulCX will promptly forward the request to Customer. Customer will be responsible for responding to the Data Subject.

7.4 Additional Assistance

If Customer requires additional assistance beyond the self-service tools, Customer may submit a request to contact@meaningful.app. MeaningfulCX will provide commercially reasonable assistance, which may be subject to additional fees for requests requiring significant manual effort.

8.1 Security Incident Definition

A "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

8.2 Notification

MeaningfulCX will notify Customer without undue delay after becoming aware of a Security Incident, and in any event within 72 hours of confirmation. Notification will be sent to Customer's registered account email address.

8.3 Incident Information

The notification will include, to the extent available:

• Description of the nature of the Security Incident
• Categories and approximate number of Data Subjects and records affected
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident
• Contact point for further information

8.4 Incident Response

MeaningfulCX will:

• Take reasonable steps to mitigate the effects of the Security Incident
• Cooperate with Customer in investigating the Security Incident
• Provide reasonable assistance to Customer in notifying Data Subjects and supervisory authorities if required

8.5 No Acknowledgment of Liability

Notification of a Security Incident under this Section 8 is not an acknowledgment of fault or liability by MeaningfulCX.

8.6 Unsuccessful Security Incidents

This Section 8 does not apply to unsuccessful Security Incidents that result in no unauthorized access to Customer Data, including:

• Pings, port scans, denial of service attacks
• Unsuccessful login attempts
• Other attacks on firewalls or networked systems that do not result in access to Customer Data

9.1 Audit Rights

Customer has the right to audit MeaningfulCX's compliance with this DPA, subject to the following conditions:

• Audits may be conducted no more than once per year unless required by a supervisory authority
• Customer must provide at least 30 days' written notice
• Audits must be conducted during normal business hours and in a manner that minimizes disruption
• Customer must execute a confidentiality agreement before conducting an audit

9.2 Audit Reports

As an alternative to on-site audits, MeaningfulCX will provide Customer with:

• Available third-party audit reports and certifications (ISO 27001, SOC 2 Type II)
• Information from Sub-processors' audit reports (AWS and Azure DPA documentation)
• Responses to information security questionnaires (subject to reasonable frequency limits)

9.3 Audit Costs

Customer is responsible for all costs associated with audits, including MeaningfulCX's reasonable costs for facilitating the audit.

10.1 Customer-Controlled Retention

Customer determines the retention period for Customer Data. Customer can delete Customer Data at any time through the self-service deletion tools provided in the Services.

10.2 Deletion Upon Termination

Upon termination or expiration of the Agreement:

• Customer has 30 days to export Customer Data using the Services
• After the 30-day period, MeaningfulCX will delete or anonymize all Customer Data within 90 days, except where retention is required by law
• Upon Customer's request, MeaningfulCX will provide written certification of deletion

10.3 Backup Data

Customer Data in backup systems will be deleted or overwritten in accordance with MeaningfulCX's standard backup retention policies, which do not exceed 90 days after the data is removed from production systems.

10.4 Legal Retention

MeaningfulCX may retain Customer Data to the extent required by Applicable Data Protection Law or other legal obligations, provided that MeaningfulCX will continue to maintain the confidentiality of such data and will only process it for the purposes of complying with such obligations.

11.1 Employee Confidentiality

MeaningfulCX will ensure that all personnel who have access to Customer Data:

• Are subject to appropriate confidentiality obligations
• Process Customer Data only as necessary to provide the Services
• Receive appropriate training on data protection and security

11.2 Access Restrictions

MeaningfulCX will restrict access to Customer Data to personnel who require access to perform their job functions related to providing the Services.

12.1 Assistance with DPIAs

Upon Customer's written request, MeaningfulCX will provide reasonable cooperation and assistance to Customer in conducting data protection impact assessments (DPIAs) required under Applicable Data Protection Law.

12.2 Information Provided

MeaningfulCX will provide information about:

• The nature, scope, context, and purposes of processing
• Security measures implemented under Section 5
• Sub-processors engaged under Section 4
• Other information reasonably necessary for Customer's DPIA

15.1 Term

This DPA remains in effect for as long as MeaningfulCX processes Customer Data on behalf of Customer, and continues until all Customer Data is deleted or returned in accordance with Section 10.

15.2 Amendments

MeaningfulCX may update this DPA from time to time to reflect changes in Applicable Data Protection Law or industry standards. Material changes will be communicated to Customer with at least 30 days' notice.

15.3 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.

15.4 Limitation of Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set forth in the Agreement.

15.5 Governing Law

This DPA is governed by the laws of the Federal Republic of Germany, in accordance with the Agreement.

15.6 Contact for Data Protection Matters

All notices and inquiries related to this DPA should be sent to:

16.1 Incorporation of SCCs

To the extent that MeaningfulCX processes Customer Data subject to the GDPR and such processing involves a transfer of Personal Data to a Sub-processor located outside the European Economic Area (EEA) that is not subject to an adequacy decision, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by European Commission Implementing Decision (EU) 2021/914 are incorporated into and form part of this DPA.

16.2 SCC Details

For the purposes of the Standard Contractual Clauses:

• Module Two (Controller to Processor) applies
• Customer is the "data exporter" (Controller)
• MeaningfulCX is the "data importer" (Processor)
• The details of processing are set out in Section 2.2 of this DPA
• The optional docking clause (Clause 7) is not selected
• The optional redress clause (Clause 11) is not selected
• Option 2 applies for Clause 9(a) (prior specific authorization with general authorization for Sub-processor changes)
• The governing law for Clause 17 is the law of Germany
• The supervisory authority for Clause 13 is the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht)

16.3 Conflict

In the event of any conflict between the Standard Contractual Clauses and other terms of this DPA, the Standard Contractual Clauses will prevail.

16.4 Current Status

As of the Effective Date, all Customer Data processing occurs within the EU (Germany and Sweden), and therefore transfers subject to the Standard Contractual Clauses are not currently required. However, the Standard Contractual Clauses will automatically apply if any future Sub-processor processes Customer Data outside the EEA.

Technical and Organizational Security Measures

MeaningfulCX has implemented the following security measures to protect Customer Data:

1. Access Control

2. Data Protection

3. Transmission Control

4. Input Control

5. Availability Control

6. Separation Control

7. Data Integrity

8. Incident Response

9. Personnel Security

10. Sub-processor Security

11. Security Testing and Assessment

12. AI and LLM Security

13. Application Security