Data Processing Agreement

2.1 Subject Matter

The subject matter of processing is the provision of feedback collection, analysis, and insights services through our AI-powered platform.

2.2 Duration

Processing will continue for the duration of the service agreement and data retention periods as specified in our Privacy Policy.

2.3 Nature and Purpose of Processing

• Collection and storage of feedback responses
• AI-powered analysis of feedback content
• Generation of insights and recommendations
• Team performance analytics and reporting
• User authentication and access management

2.4 Types of Personal Data

2.5 Categories of Data Subjects

• Customer's employees, contractors, and team members
• Feedback recipients and providers
• Administrative users and team leaders

3.1 Processing Instructions

360 AI Feedback will process personal data only on documented instructions from Customer, including this DPA, Terms of Service, and through the Service interface. We will inform Customer if we believe any instruction violates applicable data protection law.

3.2 Confidentiality

We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

3.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

3.4 Sub-processors

Customer consents to our engagement of the sub-processors listed in Appendix A. We will:

• Impose the same data protection obligations on sub-processors
• Remain fully liable for sub-processor performance
• Provide 30 days' notice of new sub-processors
• Allow Customer to object to new sub-processors

4.1 Assistance with Rights Requests

We will assist Customer in fulfilling data subject rights requests, including:

4.2 Response Timeline

We will respond to Customer's requests for assistance within 10 business days and provide necessary information to help Customer respond to data subjects within the required 30-day period.

5.1 Breach Notification

We will notify Customer without undue delay (within 24 hours where feasible) after becoming aware of a personal data breach affecting Customer data.

5.2 Breach Information

Notifications will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further details

5.3 Remediation

We will cooperate with Customer and take reasonable steps to remediate the breach and prevent future incidents.

6.1 Transfer Mechanisms

When transferring personal data outside the European Economic Area, we ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where available
• Other appropriate safeguards as recognized by applicable law

6.2 Transfer Documentation

We will provide Customer with copies of relevant transfer mechanisms upon request.

7.1 Audit Rights

Customer may conduct audits of our data processing activities, including through:

• Review of our security certifications and audit reports
• Questionnaires and compliance assessments
• On-site inspections (with reasonable advance notice)

7.2 Audit Frequency

Audits may be conducted once per year or following a suspected breach. Customer bears the cost of audits unless they reveal material non-compliance.

8.1 End of Processing

Upon termination of services, we will:

• Return all personal data to Customer in a commonly used format
• Delete all personal data from our systems within 30 days
• Provide certification of deletion upon request
• Ensure sub-processors also delete or return data

8.2 Legal Retention

We may retain personal data to the extent required by applicable law, with appropriate safeguards in place.

9.1 Processor Liability

360 AI Feedback shall be liable for damages caused by processing that violates GDPR or Customer's lawful instructions. Liability is limited to direct damages and subject to the limitations in our Terms of Service.

9.2 Controller Responsibilities

Customer remains responsible for compliance with data protection laws as a controller, including obtaining necessary consents and providing privacy notices to data subjects.