Loop11 Data Processing Agreement for Customers

This DPA governs any Loop11 Processing of Customer Personal Data on behalf of our Customers.

You (or “Customer”) and Loop11, Inc. and its Affiliates (“Loop11”) agree to the terms and conditions of this Data Processing Agreement, including the Standard Contractual Clauses, and its Appendices (collectively, the “DPA”) in connection with your use of the Loop11 Platform and Services, as defined in and pursuant to our Agreement.

By accessing the Platform and using the Services, you agree to this DPA. This DPA supplements and is incorporated into the Loop11 Customer Terms and Conditions (as updated from time to time) (the “Terms”) or other written agreement between us under which Loop11 agrees to provide you with access to the Platform and Services (the Loop11 Customer Terms and Conditions or such other agreement are referred to herein as the “Agreement”).

If there is a conflict or inconsistency between this DPA and our Agreement, then the terms of this DPA will control. Any capitalized terms used but not defined in this DPA will have the meanings given to them in either the Agreement or the Applicable Laws, as further described below.

RECITALS

WHEREAS, Loop11 carries out cross-border transfers of data to and from the US and other locations, and Processes such data for the purpose of providing the Services to you, including storage of your Sessions, Recordings and Statistical Data, storage of certain other information, support of security and threat analysis, billing, and account provisioning.

WHEREAS, Tests and Sessions are controlled by the Customer and the transmission to Loop11 of Customer Personal Data for Processing is determined solely by Customer.

WHEREAS, the Service is hosted by Loop11’s data center partners, which maintain independently validated security programs, including SOC 2 and ISO 27001, and we regularly conduct penetration testing to continually assess and improve our security posture; and

WHEREAS, Loop11 does not voluntarily permit US or other governmental agencies access to its infrastructure.

THEREFORE, for good and valuable consideration, the parties agree as follows:

AGREEMENT

1. Definitions. For the purposes of this DPA, “Commission”, “Controller”, “Personal Data Breach”, “Member State”, “Processor”, “Sensitive Data” and “Supervisory Authority” shall have the meaning given in the European Union (EU) General Data Protection Regulation 2016/679 (“GDPR”) or any other Applicable Laws. “Business,” “Consumer” and “Service Provider,” shall have the meaning given in the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et seq. (“CCPA”). “Processing” (and its derivatives) has the meaning given to it in the GDPR or the CCPA, as the context of this DPA requires.

1.1 “Affiliates” means any business entity that owns more than fifty percent (50%) of the voting interest in a party, or otherwise directly or indirectly controls, is controlled by, or is under common control with a party.

1.2 “BCRs” means the binding corporate rules approved pursuant to Article 47 and 63 of the GDPR.

1.3 “Applicable Laws” means any data protection laws applicable to Loop11, including the GDPR, the UK GDPR and the CCPA.

1.4 “Customer Personal Data” means “personal data” or “personal information” (as defined under Applicable Laws) that Loop11 obtains and Processes on Customer’s behalf, in the course of providing Services to Customer. For purposes of this DPA, Customer Personal Data does not include personal data or personal information that Loop11 obtains or Processes (i) from Contributors outside a Test or Session or (ii) independent of its Agreement with Customer.

1.5 “Standard Contractual Clauses” or “SCCs” means, as the context requires:  (i) the EU Standard Contractual Clauses for Processors pursuant to the European Commission Decision as of 4 June 2021 for Customer Personal Data exported from the EEA or Switzerland (“EU SCCs“); or (ii) the EU SCCs as amended by the UK International Data Transfer Addendum, attached as Schedule 2, for Customer Personal Data exported from the UK (“UK SCCs“).

1.6 “Sensitive PII” includes “Sensitive Data” such as revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences.

1.7 “Subprocessor” (or “sub-processor”) has the meaning given in the SCCs.

1.8 “Transfer” or “Transferred” means the transfer, disclosure, or other type of access to Customer Personal Data to a person, organization, or system located in a country or jurisdiction other than the country or jurisdiction where the Customer Personal Data originated.

1.9 “UK GDPR” means the EU GDPR as amended and incorporated into UK law.

2. Roles, Purposes and Customer’s Instructions.

2.1. Roles. In respect of any Customer Personal Data, Customer is the Controller or the Data Exporter under the GDPR and Business under the CCPA, Loop11 is the Processor or the Data Importer under the GDPR and Service Provider under the CCPA, and Loop11’s sub-contractors are Subprocessors under the GDPR and Service Providers under the CCPA. Loop11’s Processing of Customer Personal Data will comply with SCCs. For the avoidance of doubt, Loop11 is the Controller and Business with respect to (i) the personal data and personal information it collects directly from Contributors outside of a Test or Session, (ii) the business contact details of Customer’s employees, agents and others whose data is collected or received in the course of providing access to the Services, which is subject to its Privacy Policy.

2.2. Purposes. Loop11 agrees that it will only collect and Process Customer Personal Data on Customer’s behalf for the purposes of (i) providing and enhancing the Platform and Services, and (ii) detecting data security incidents and protecting against fraudulent or illegal activity. Loop11 will not Process Customer Personal Data for any other purpose without Customer’s consent, including for the purpose of providing services to another person or entity. Loop11 will not sell Customer Personal Data.

2.3. Customer Instructions. Loop11 will conduct all Processing of Customer Personal Data in accordance with Customer’s written instructions, which are deemed fully reflected in this DPA unless Customer and Loop11 specifically agree to additional written instructions (which will supplement, but not replace, the instructions in this DPA). If Customer elects to perform Tests which involve testing with minors, Protected Health Information or physical product testing, Customer will comply with all additional requirements set forth in the Terms or as expressly authorized by Loop11. Customer will not perform tests that would collect Sensitive PII from a Contributor, unless Customer has obtained Contributor’s prior written consent and Customer complies with all additional requirement required by Loop11. Customer can obtain Contributor’s consent by adding a request for consent in the very first screener question of the Test. If Loop11 becomes aware of any instruction issued by Customer which, in its opinion, infringes Applicable Laws, Loop11 will promptly inform Customer thereof. Customer Personal Data shall be Processed as reasonably required for the business relationship between the parties.Customer Personal Data shall be Processed as reasonably required for the business relationship between the parties. Customer will hold Loop11 harmless and indemnify Loop11 for any damages suffered or incurred due to Loop11’s Processing of Customer Personal Data in accordance with Customer’s instructions. In accordance with Applicable Laws, Loop11 has implemented the technical and organizational measures listed under the attached Appendix Annex II, which are intended to protect Customer Personal Data against (i) unauthorized or accidental access or disclosure, (ii) misuse, (iii) corruption, and (iv) loss or destruction.

2.4. Customer is responsible for ensuring any required data subject consent is duly provided when it collects Personal Data, and Loop11 shall have no liability arising from the Processing of Customer Personal Data in accordance with Customer’s written instructions

3. Request to Access Customer Personal Data; Disclosure of Customer Name. If a third party requests access to, or correction of, Customer Personal Data, Loop11 will refuse the request, and instruct the third party to make such request directly to Customer, and provide the third party with Customer’s contact information. If compelled to disclose Customer Personal Data due to a legal demand by a law enforcement agency or other third party, Loop11 will give Customer notice of such demand before granting such access, to allow Customer to seek a protective order or other appropriate remedy. If notice to Customer is legally prohibited, Loop11 will use commercially reasonable efforts to protect the Customer Personal Data from undue disclosure, as if it were Loop11 Confidential Information being requested. Customer acknowledges and agrees that Customer may disclose Customer’s name to a Contributor if necessary or advisable under applicable law.

4. Customer Personal Data Breach. Loop11 will notify Customer without undue delay if it becomes aware of unauthorized or accidental access or misuse of the Customer Personal Data it processes under the Agreement and will endeavor to mitigate the effects and to minimize any data protection breach. Loop11 will take action to prevent any further breach and provide Customer with all reasonable cooperation and assistance in relation to any notifications that Customer is required under Applicable Law to make as a result of said breach.

5. Transfer. You acknowledge and agree that we may access and Process Customer Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Customer Personal Data will be transferred to and Processed by Loop11 in the US and other jurisdictions where we, our Affiliates, and our Subprocessors have operations. We will ensure such transfers comply with the Applicable Laws. We will not transfer Customer Personal Data from the EEA, Switzerland, or the UK to any country or recipient not recognized as providing an adequate level of protection for Customer Personal Data by the relevant EEA, UK or Swiss authority unless we first take all necessary measures to ensure the transfer is in compliance with Applicable Laws. Such measures may include transferring such data to a recipient that (i) is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Customer Personal Data, (ii) has achieved BCRs, or (iii) has executed appropriate SCCs. In particular, the parties agree to the SCCs attached to this DPA as Schedule 1 form part of this DPA.

6. Obligations towards Subprocessors. Whether the Subprocessor is a Loop11 Affiliate or a third party, Loop11 will:

6.1 restrict Subprocessors’ access to Customer Personal Data to what is reasonably necessary to maintain or provide the Platform and Services to Customer;

6.2 impose substantially similar appropriate contractual obligations in writing upon Subprocessors that are no less protective than the obligations set forth in this DPA; and

6.3 remain responsible for Subprocessors’ compliance and performance with the obligations of this DPA.

7. List of Subprocessors. Loop11’s Subprocessors include its Affiliates and are approved by Customer as of the date of signature. Customer consents to Loop11’s use of its Affiliates and other Subprocessors in the provision of the Platform and Services. Loop11 will provide notification of new or changes in its Subprocessor(s) before authorizing any new Subprocessor(s) to Process Customer Personal Data under the Agreement. If the Customer objects to the engagement of any new Subprocessor, the Customer will give Loop11 written notice of such objection and, if Loop11 elects to continue using the Subprocessor, Customer may terminate the Agreement.

8. Audit. Subject to your confidentiality obligations, Loop11 will provide you with information necessary to enable you to demonstrate compliance with Applicable Laws. Loop11 will, no more than annually, respond to your reasonable requests for information, including responses to information security and audit questionnaires. Where, in Customer’s reasonable opinion, the requested information is not sufficient, Loop11 will, upon advance written notice, allow Customer to inspect information in Loop11’s control. Customer agrees Loop11 shall have no obligation to provide information that it is precluded from providing by applicable laws or contractual obligation to another party. Customer will be solely responsible for all fees associated with such audit, including any fees charged by any auditor you may appoint and for any damage, injury, or disruption to our premises, equipment, personnel, and business caused by your auditor. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Loop11 and must execute a written confidentiality agreement with Customer and Loop11 before conducting the audit. The parties will work cooperatively to agree on a final audit plan, which may include charges for expenses incurred by Loop11. Customer will provide Loop11 with any audit reports generated in connection with any audit under this section, unless prohibited by law. Any information obtained during an audit may be used, solely as necessary to demonstrate compliance with Applicable Laws and regulatory requests. Customer may perform one audit per year unless required to perform more by applicable laws, upon specific request by a regulatory body or in response to a data breach.

9. Data Retention. Loop11 will delete Customer Personal Data upon Customer’s request as prescribed in the Agreement, unless Loop11 is required by law to retain a copy of Customer Personal Data. Loop11 has no obligation to retain Customer Personal Data after termination or expiration of the Agreement, unless expressly agreed by the parties.

10. Miscellaneous.

10.1 Notwithstanding anything to the contrary, the parties acknowledge that the Applicable Laws are not intended to jeopardize or undermine the confidentiality obligations to which the parties are subject in the Agreement or an agreed upon non-disclosure agreement.

10.2 Should any provision or condition of this DPA be held or declared invalid, unlawful, or unenforceable by a competent authority or court, then the remainder of this DPA will remain valid.

10.3 This DPA will be effective for so long as our Agreement is effective. Loop11 may update its online terms with email notice to the Customer. Any other amendments to this DPA must be in writing and signed by authorized representatives of each party.

Schedules 1 and 2: Standard Contractual Clauses and International Data Transfer Addendum

Unless otherwise agreed in writing by the parties, by executing an Order, Customer is deemed to execute the SCCs as set out in full on our website, which will have legally binding force on the parties. A link to the SCCs can be found here. The following Appendices are incorporated by reference into the SCCs.

Appendix – ANNEX I to SCC 2021

DESCRIPTION OF TRANSFERS

This Appendix – Annex I (or “Annex I”) is incorporated into the DPA. All capitalized terms used but not defined below will have the meanings given to them in the DPA.

1. LIST OF PARTIES

Data Exporter

The Data Exporter is (i) the company that has executed the Standard Contractual Clauses as a Data Exporter and (ii) all Customer Affiliates (as defined under the Agreement) established within the European Economic Area (EEA), UK or Switzerland that export Customer Personal Data under the Agreement.

Data Importer

The Data Importer is Loop11, Inc. and its Affiliates. The Data Importer provides the Loop11 Platform and Services to the Data Exporter under the Agreement, in the course of which it Processes certain Customer Personal Data as a Processor.

2. DESCRIPTION OF TRANSFER

Nature of the Processing

The Data Importer provides the Platform and Services to the Data Exporter, in the course of which it Processes certain Personal Data as a Processor. Loop11 Platform is software platform that enables its customers to develop test plans and define audiences in order to solicit perspectives on any brand, design, content or offering.

The data exporter’s data on the Loop11 Platform may be hosted and stored in a 3rd party data center (AWS) in the US.

Purpose(s) of the data transfer and further processing

The Data Importer processes Customer Personal Data for the purposes of providing services to the Data Exporter in particular, delivering and making available to the Data Exporter, the records, recordings and analyses from interviews, surveys and sessions conducted on the Loop11 Platform.

Duration of processing, the period for which the personal data will be retained, and/or the criteria used to determine that period

Customer Personal Data is retained for the time period during which the data importer provides the Services to the data exporter until data is deleted upon Customer’s request. In the absence of Customer’s request for deletion, Loop11 may delete Customer Personal Data after 3 months from the end of the provision of Services, unless Loop11 is required by law to retain a copy of Customer Personal Data.

Data Subjects

The Customer Personal Data transferred concerns the following categories of data subjects:

  • Contributors, in Tests and Sessions

Categories of Data

The Customer Personal Data transferred concerns the following categories of data:

  • Personal Data or other personally identifiable information included in responses to Tasks and questions included by Customer in a Test
  • Face Recordings in Sessions designed to capture Face Recordings
  • Personal Data or other personally identifiable information inadvertently captured by screen and audio recordings

Sensitive Data

Customer may request special categories of information in a Test, such as any information about children or an individual’s racial/ethnic origin, health, sexuality, political opinions, religious beliefs, criminal background or alleged offenses, or trade union membership, subject to the Customer’s compliance with applicable laws and the Agreement.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Data will be transferred on a continuous basis.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing

In the scope of providing the Loop11 Platform and Services, including technical support, Loop11 and its Subprocessors may need access to or process the personal data that is entered by data exporter into the Loop11 Platform in order to provide the subscription service.

3. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of the Data Exporter.

Appendix – ANNEX II to SCC 2021

Technical and Organizational Security Measures

This Appendix – Annex II (or “Annex II”) is incorporated into the DPA and summarizes the technical, organizational, and physical security measures implemented by the parties. All defined terms not defined below will have the meanings given to them in the DPA.

Loop11’s Information Security is centrally managed by its Information Security team. The Loop11 Information Security team’s responsibilities include the management of information security across all global locations, all Loop11 products and services and engagement of Loop11 Subprocessors.

In addition to any data security requirements set forth in the DPA, Loop11 will comply with the following:

1. Security Governance

Loop11’s security policy is approved by its executive team and formally reviewed annually. It requires that all employees be trained on their responsibilities in protecting personal and confidential information. New employees are trained during orientation. All employees are required to refresh their training at least yearly.

2. Service Authentication

a. Complex passwords are required for client and contributor access. Passwords must be at least 8 characters long and must contain at least one uppercase letter, one lowercase letter, and one digit. They may also contain special characters.

b. Users are logged out of the system after periods of inactivity

c. When users create new accounts, they create their own secure passwords. When existing users create accounts for others, the new users are invited by email and are then asked to create their own secure passwords.

d. Lost passwords are not retrievable but can be reset by the user by responding to an email sent to the account’s email address that is already on record.

3. Single Sign-on

Loop11 also supports login via single sign-on using SAML 2.0 protocols. This enables customers to implement additional security requirements for passwords and the login process.

4. Multi-factor authentication (MFA) for internal accounts

Loop11 requires that internal email and development accounts use MFA.

5. Data Hosting and Encryption

a. All confidential and proprietary data (including video files, Customer and Contributor data) are hosted through Amazon Web Services (AWS). AWS is a SOC 2 and ISO 27017 certified hosting provider.

b. All data is encrypted at rest and in transit. Data is stored in encrypted form using 256-bit AES encryption. Encryption keys are managed by AWS Key Management Services.

c. All communication to and from the data center is encrypted (TLS 1.2 or greater required).

6. Vulnerability Scanning

Loop11 performs regular vulnerability scans on infrastructure devices, servers, and user computers. Cloud infrastructure, virtual instances, web applications, and production code changes are scanning for vulnerabilities to ensure weaknesses are identified fast, and vulnerabilities remediated quickly.

7. Prototype, Image and Asset Hosting

Loop11 is able to host some web assets used during tests. The assets are encrypted at rest and only accessed through SSL. These are kept securely in our AWS infrastructure and only accessible through secure links that are inactive unless the test is in progress and used by the assigned, active contributor.

8. Data Lifecycle Management

Unless Loop11 is required by law to retain a copy of Customer Personal Data, Loop11 may delete Customer Personal Data three months after the end of the provision of Services. Loop11 will delete Customer Personal Data upon request from Customer.

9. Personnel Security

a. Loop11 conducts background checks on all employees, contractors, and consulting agencies, and does not hire individuals with inappropriate backgrounds.

b. Employees who leave the company or change business roles will have their access privileges revoked or modified within 24 hours.

12. System Development

a. Loop11 builds its platform using an agile development methodology that releases small changes frequently after peer review and testing.

b. Every change that is built runs first on a local system. Changes are peer reviewed and then tested on non-production systems. After all tests are passed, and peer reviews completed, changes are deployed to the production system. Each change is processed by static analysis tools that look for known vulnerabilities in any component used. Tests are performed on separate systems (built the same way) but using seed data or obfuscated production data so that tests may be performed without risking the production system.

c. Deployment is managed by automated tools. The scripts that drive the tools are also kept under change control.

d. Virtual instances are checked nightly and critical software patches are applied as necessary.

e. Customer data is not used outside of production. Exceptions are made when troubleshooting issues where real data is relevant and even then, the data is first obfuscated to prevent exposure of the personal information of Customers and Contributors.

15. Logging

System activity is centrally logged. Logs are kept for a minimum of 12 months in ways that make them virtually impossible to tamper with.

16. Intrusion Detection, Prevention and Incident Response

System accesses are monitored and logged. ThreatStack software is deployed on every instance in the VPC and alerts when it encounters unusual activity. Custom monitors look for other unusual activity. Alerts are investigated by engineers according to an incident response plan. The plan is designed to effectively escalate incidents to the appropriate level of authority, ensuring quick fixes that are followed up with a root cause analysis and work plan, to prevent future incidents. The incident response plan is reviewed annually.

17. Web Application Firewall (WAF)

Loop11 employs a WAF implemented using AWS WAF platform to prevent certain kinds of common attacks. AWS automatically updates the managed rules as new exploits and bad actors emerge.

18. Data Loss Prevention (DLP)

Loop11 deploys DLP tools on company workstations to track and alert when unusual activity is detected. Additional DLP tools are deployed in critical cloud infrastructure.

19. Subprocessors

Loop11 uses a number of third parties to deliver its full platform of services. Most do not have access to confidential information. Any that do are subject to annual security reviews and are obligated by contract to provide a security posture that is at least as stringent as what we provide directly.

20. Business Continuity

Business continuity is included as part of Loop11’s security policy. The platform has been designed to be robust and recoverable.

  • The platform is hosted on multiple servers running in AWS with load balancing and failover provisions
  • Instances can be spun up as needed if one fails
  • Videos are stored in journaled S3 buckets
  • Videos are stored in at least two geographically diverse data centers
  • Other data is stored in RDS with continuous backups to alternate data centers and daily snapshots.
  • Data centers are located in geographically-diverse locations to ensure redundancy in the case of a catastrophic event

Last updated: April 28, 2022