← Home

Data Processing Addendum

Last updated: 2026-05-21

Placeholder copy. Have a privacy lawyer review before relying on this document. The language below is a reasonable scaffold but is not legal advice.

This Data Processing Addendum (“DPA”) supplements the Questaion Terms of Service and governs our processing of Customer Personal Data on your behalf when you use the Questaion service.

1. Definitions

“Applicable Data Protection Law” means the GDPR, the UK GDPR, the Swiss FADP, and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), each as applicable.

2. Roles

For Customer Personal Data, Customer is the “controller” (or “business”) and Questaion is the “processor” (or “service provider”).

3. Subject matter and duration

Subject matter: provision of the survey platform. Duration: the term of the underlying agreement plus any retention required by law.

4. Nature and purpose

Hosting, processing, transmitting, and presenting survey responses and account data so that the service operates.

5. Categories of data subjects and personal data

  • Data subjects: Customer's employees, end users, and survey respondents.
  • Categories: contact details, free-text answers, multiple-choice answers, numeric ratings, completion timestamps, IP-derived metadata, and any “context fields” the Customer chooses to attach.

6. Customer instructions

Questaion processes Customer Personal Data only on documented instructions from Customer (including the Terms, this DPA, configured survey settings, and lawful API calls).

7. Confidentiality

Personnel with access to Customer Personal Data are bound by confidentiality obligations.

8. Security

We implement appropriate technical and organizational measures including encryption in transit and at rest, access controls with SSO and 2FA, secure development lifecycle, vulnerability management, and incident response.

9. Subprocessors

Our current subprocessors are listed at /subprocessors. We give 30 days' notice of new subprocessors so Customer can object.

10. International transfers

Where data leaves the EEA/UK/Switzerland we rely on the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses, with appropriate UK and Swiss addenda.

11. Data subject requests

We provide functionality to fulfil access, deletion, correction, and portability requests. Where a request reaches us directly, we will forward it to Customer without undue delay.

12. Audits

Customer may request our most recent third-party audit reports under NDA, and may conduct an audit on reasonable notice and at its own expense, no more than once per year unless required by law.

13. Personal data breach

We notify Customer without undue delay (and within 72 hours where feasible) of any personal data breach affecting Customer Personal Data.

14. Deletion and return

On termination, Customer may export data via the API. We will delete Customer Personal Data within 30 days unless retention is required by law.

15. Acceptance

To execute a countersigned DPA, email legal@questaion.com with your legal entity name and address.