despark
Follow us on
For Research Teams
For Users
This Data Processing Addendum applies to individuals and businesses using Despark. This is the current version of these terms, dated 22 January 2025.
This data processing addendum ("DPA") applies as set out in the Agreement.
In the event of any conflict between the Agreement and this DPA, this DPA shall prevail.
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following words and expressions shall have the following meanings:
"Customer Personal Data" means the Personal Data described here and any other Personal Data that Despark Processes on your behalf in connection with your use of the Services;
"Data Protection Laws" means any applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data, including without limitation: (i) the EU GDPR; (ii) the UK GDPR; (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) United States federal and/or state data protection or privacy statutes, including but not limited to the California Consumer Protection Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”); and (iv) any other applicable data protection law;
"Data Subject Request" means the exercise by a Data Subject of their rights under, and in accordance with, Data Protection Laws in respect of Customer Personal Data;
"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
"GDPR" means, as appropriate and as amended from time to time: (i) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) ("EU GDPR"); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and/or (iii) any legislation, and/or regulation implementing or made pursuant to them or which amends, replaces, re-enacts or consolidates any of them;
"Party" means each of you and Despark;
“Relevant Body” means: (i) in the context of the US, the Federal Trade Commission (FTC); and (ii) in the context of the EEA, the European Commission;
"Restricted Country" means: (i) in the context of the EEA, a country or territory outside the EEA, in each case that the Relevant Body has not deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR;
"Restricted Transfer" means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, a Restricted Country outside the EEA (an "EEA Restricted Transfer");
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any of the Customer Personal Data while in the custody of Despark or any Sub-processor;
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914);
"Sub-processor" means any third party appointed by or on behalf of Despark to Process Customer Personal Data;
The terms "Personal Data", "Controller", "Processor", "Data Subject", "Process", "Special Category Personal Data" and "Supervisory Authority" shall have the same meaning as set out in the EU GDPR.
2.1 In respect of Customer Personal Data, the Parties acknowledge that Despark acts as the Processor and you act as the Controller. You instruct Despark to Process Customer Personal Data as necessary to provide the Services to you and to perform its obligations and exercise its rights under the Agreement. Despark may terminate the Agreement in its entirety upon written notice to you with immediate effect if Despark considers (in its reasonable discretion):
2.1.1 that it is unable to adhere to, perform or implement any instructions issued by you due to the technical limitations of its systems, equipment and/or facilities; and/or
2.1.2 that adherence, performance or implementation of any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.2 Despark will only Process Customer Personal Data in accordance with:
2.2.1 the Agreement, to the extent necessary to provide the Services to you, and
2.2.2 your written instructions, unless Processing is required by US or European Union, Member State to which Despark is subject, in which case Despark shall, to the extent permitted by applicable law, inform you of that legal requirement before Processing Customer Personal Data in that way.
2.3 The Agreement (subject to any changes to the Services agreed between the Parties) and this DPA shall be your complete and final instructions to Despark in relation to the processing of Customer Personal Data. Processing outside the scope of this DPA or the Agreement will require prior written agreement between you and Despark on additional instructions for Processing.
2.4 Where applicable by virtue of Articles 28(3)(h) of the GDPR, Despark shall immediately notify you in the event that Despark believes your instructions conflict with the requirements of the California CCPA, EU GDPR, or other domestic US law.
2.5 Annex 1 sets out certain information regarding Despark's Processing of Customer Personal Data as required by Articles 28(3) of the GDPR.
You represent and warrant on an ongoing basis that Despark (and any Sub-processors) are legally permitted to Process the Customer Personal Data as contemplated under the Agreement and Statements of Work, including as follows:
3.1 the Processing of any Customer Personal Data will be consistent with the information communicated to the relevant Data Subjects or as otherwise necessary in accordance with Data Protection Laws; and
3.2 where required by applicable Data Protection Laws, you have a valid legal basis for the Processing by Despark of Customer Personal Data (including any and all instructions issued by you from time to time in respect of such Processing).
You agree that Despark may use the entities listed here, and hereby approve the appointment of those entities, as Sub-processors to Process Customer Personal Data.
You agree that Despark may use Sub-processors to fulfil its contractual obligations under the Agreement and Despark shall notify you from time to time of the identity of any amendments to the Sub-processors it engages and you may within fourteen (14) days of receipt of such notice, object (on reasonable grounds) to the proposed appointment. If, within fourteen (14) days of receipt of such notice, you notify Despark in writing of any objection (on reasonable grounds) to the proposed appointment: (i) Despark shall work with you in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of the proposed Sub-processor; and (ii) where such a change cannot be made within a further fourteen (14) days from Despark's receipt of your objection, notwithstanding anything in the Agreement, Despark may by written notice to you terminate the Agreement with immediate effect either (at its option) in whole or to the extent that it relates to the Services which require the use of the proposed Sub-processor.
Despark shall be liable for the acts and omissions of all Sub-processors under or in connection with this DPA.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Despark shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Details of Despark's technical and organizational security measures are set out in Annex 2. You acknowledge and agree that you have reviewed the security measures listed in Annex 2 and satisfied yourself that they are sufficient for your purposes.
Upon your reasonable request, Despark shall make available all information as Despark (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.
If Despark becomes aware of a Security Incident, Despark will:
5.2.1 notify you of the Security Incident without undue delay, providing you with sufficient information to allow you to meet any obligations under Data Protection Laws to inform affected Data Subjects and/or Supervisory Authorities of the Security Incident, and:
5.2.2 provide such reasonable assistance to you as required to allow you to meet any obligations under Data Protection Laws to report the Security Incident to affected Data Subjects and/or the relevant Supervisory Authorities (as may be determined in accordance with the Data Protection Laws).
Despark shall, at your sole cost and expense, co-operate with you and take such reasonable commercial steps as may be directed by you to assist in the investigation, mitigation and remediation of each such Security Incident.
Despark shall perform a self technical and organizational security audit, on a annual basis. Despark runs frequent external web vulnerability scans and annual penetration tests against its platform, aiming to proactively and continuously ensure the highest level of security.
Despark shall treat Customer Personal Data as your confidential information, and shall ensure that any employees or other personnel who have access to it have agreed to protect the confidentiality and security of Customer Personal Data.
Saved where prohibited by applicable law, Despark shall notify you of any Data Subject Request it receives, and shall not respond to the Data Subject Request unless instructed to do so by you.
Despark shall provide you with the ability to correct, delete, block, access or copy Customer Personal Data in accordance with the functionality of the Services.
Despark shall notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority), unless otherwise prohibited by law or a legally binding order of such body or agency.
6.3.1 Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Despark shall, at your sole cost and expense:
6.3.1.1 provide you with such assistance as may be reasonably necessary and technically possible in the circumstances to assist you in fulfilling your obligation to respond to Data Subject Requests, solely to the extent that you are unable to action the Data Subject Request using automated tools made available on the Services; and
6.3.1.2. provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervisory Authorities, which you reasonably consider to be required of you by Articles 35 or 36 of the GDPR, in each case solely in relation to the Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Despark.
6.3.2 Despark shall make available to you on request such information as Despark (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.
6.3.3 The Parties shall discuss and agree the costs of any inspection or audit to be carried out by you or on your behalf in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, you shall bear any third party costs in connection with such inspection or audit (other than audits performed by regulatory agencies) and reimburse Despark for all costs incurred by Despark and time spent by Despark (at Despark's then-current professional services rates) in connection with any such inspection or audit.
7.1 Subject to sections 7.2 and 7.3 below, Despark shall, within 90 (ninety) days of the date of termination of the Agreement:
7.1.1. return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by you to Despark; and
7.1.2. delete all other copies of Customer Personal Data in Despark's control.
7.2 Subject to section 7.3 below, you may in your absolute discretion notify Despark in writing within 30 (thirty) days of the date of termination of the Agreement to require Despark to delete all copies of Customer Personal Data Processed by Despark. Despark shall, within 90 (ninety) days of the date of termination of the Agreement:
7.2.1. comply with any such written request; and
7.2.2. where this section 7.2 applies, not be required to provide a copy of Customer Personal Data to you
7.3 Despark may retain Customer Personal Data to the extent required and for such period as required by applicable law, and provided that Despark shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
8.1 You acknowledge and agree that Despark may store and Process Customer Personal Data outside of the US and/or EEA. The Parties agree that, to the extent you transfer Customer Personal Data to Despark in a Restricted Country, this shall result in a Restricted Transfer.
8.2 In the event of any conflict between the terms of this DPA and the terms of the applicable SCCs, the terms of the applicable SCCs shall prevail to the extent of such conflict.
8.3 If required by any Supervisory Authority or the mandatory laws or regulatory procedures of any jurisdiction in relation to an EEA Restricted Transfer, the Parties shall execute or re execute the applicable SCCs as separate documents setting out the proposed transfers of Customer Personal Data in such manner as may be required.
This page includes certain details of the processing of Customer Personal Data: (i) as required by Article 28(3) of the GDPR; and (ii) to populate the appropriate SCCs (where applicable).
Despark's activities
The provision of the Services to you.
Subject matter and duration of the Processing of Customer Personal Data:
The Processing of Customer Personal Data in connection with your access to the Services on the terms set out in the Agreement.
Nature and purpose of the Processing of Customer Personal Data:
The provision of the Services to you.
Types of Customer Personal Data to be Processed:
Name;
Unique identifier;
Email address;
Profile information;
Video footage captured using the ‘Live Feedback’ feature;
Screen recordings captured using the ‘Live Feedback’ feature;
Survey Responses captured using the ‘Survey’ feature;
Wallet addresses and on-chain information; and
Any other Personal Data uploaded or created on the Services.
Categories of Data Subjects to whom the Customer Personal Data relates:
Customer, Customer's employees and Customer's participants.
Authorized Sub-processors:
Those Sub-processors listed here, and any other Sub-processors approved by you in accordance with this DPA.
Competent Supervisory Authority:
The Supervisory Authority competent at the location of your main establishment.
Your obligations and rights:
The obligations and rights of the Customer are as set out in this DPA.
Despark agrees to implement and maintain the following security measures:
Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Despark’s organization, monitoring and maintaining compliance with Despark’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Data security controls which may include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Password controls designed to manage and control password strength, expiration and usage.
System audit or event logging and related monitoring procedures to proactively record user access and system activity.
Physical and environmental security of data centers, server room facilities and other areas containing Customer Personal Data designed to protect information assets from unauthorized physical access or damage.
Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Despark’s possession.
Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Despark’s technology and information assets.Incident management procedures designed to allow Despark to investigate, respond to, mitigate, and notify of events related to Despark’s technology and information assets.
Network security controls and procedures for network services and components.
Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
Business resiliency/ continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.