Data Processing Agreement (DPA) · Pay4Feedback

How to execute: This DPA is pre-signed by Pay4Feedback and forms an integral part of the Terms of Service. By using the Pay4Feedback platform as a paying customer and processing personal data through the Service, you (the Controller) accept this DPA without further signature being required. A counter-signed PDF copy is available on request at support@pay4feedback.com.

1. Parties & Definitions

This Data Processing Agreement (“DPA”) is entered into between:

Processor: Dmytro Rybka, Im Hoffeld 31/1, 74427 Fichtenberg, Germany, operating Pay4Feedback (“Pay4Feedback” or “Processor”)
Contact: support@pay4feedback.com

and the Pay4Feedback customer (“Controller”) identified in the active Pay4Feedback tenant account. Together: the “Parties”.

1.1 Definitions

Capitalised terms have the meaning given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). In particular:

“Personal Data” — any information relating to an identified or identifiable natural person processed under this DPA.
“Processing” has the meaning given in Art. 4(2) GDPR.
“Data Subject” — in our context typically the Controller’s own end-users (widget respondents).
“Service” — the Pay4Feedback platform, dashboard, embeddable widget, and related APIs.
“Sub-Processor” — any processor engaged by Pay4Feedback to process Personal Data on behalf of the Controller (see Annex A).

2. Subject Matter, Duration & Nature of Processing

Subject matter: Collection, storage, and AI-scoring of end-user feedback responses; orchestration of reward payouts through Stripe and Tremendous.

Duration: For the term of the Pay4Feedback subscription plus the retention periods set out in the Privacy Policy.

Nature of processing: Collection, structuring, storage, retrieval, AI quality scoring, transmission to sub-processors for payment, and deletion.

Purpose: Enabling the Controller to collect paid, quality-scored feedback from end-users through the Service.

3. Categories of Data Subjects & Personal Data

3.1 Categories of Data Subjects

The Controller’s end-users (widget respondents) who voluntarily submit feedback.
End-users who elect to claim a monetary reward for their feedback.

3.2 Categories of Personal Data

Survey answers — text, multiple-choice, rating, NPS responses.
Session / technical data — anonymised IP, user agent, device type, referrer, timestamps.
Reward claim data (opt-in only) — email, first name, payout method, amount.
Consent record — timestamp of consent acceptance.

Pay4Feedback does not collect special categories of Personal Data (Art. 9 GDPR) on behalf of the Controller. The Controller warrants not to use the Service to collect such data without a separate legal basis.

4. Processor Obligations

Pay4Feedback shall:

Process Personal Data only on documented instructions from the Controller (Art. 28(3)(a) GDPR).
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality (Art. 28(3)(b) GDPR).
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk — see Annex B (Art. 32 GDPR).
Only engage Sub-Processors as permitted in Section 6.
Assist the Controller in fulfilling its obligations under Arts. 32–36 GDPR.
Assist the Controller in responding to Data Subject rights requests (Section 8).
At the Controller’s choice, return or delete Personal Data after the end of provision of Services (Section 11).
Make available all information necessary to demonstrate compliance with Art. 28 GDPR (Section 10).
Inform the Controller if, in Pay4Feedback’s opinion, an instruction infringes the GDPR.

5. Controller Obligations

Be responsible for the lawfulness of Processing and for the accuracy of Personal Data provided to Pay4Feedback.
Obtain any necessary consents from end-users for Processing by Pay4Feedback.
Not Process special categories of Personal Data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR) without a separate legal basis notified in writing.
Maintain a record of Processing activities (Art. 30 GDPR) for Processing conducted through the Service.

6. Sub-Processors

The Controller grants Pay4Feedback a general authorisation to engage Sub-Processors.

6.1 Approved Sub-Processors

See Annex A below. The Controller expressly consents to the use of these Sub-Processors on the effective date of this DPA.

6.2 Changes to Sub-Processors

Pay4Feedback shall notify the Controller of any intended addition or replacement at least 30 days before the change takes effect, by email to the primary tenant account holder.

6.3 Written Contract with Sub-Processors

Pay4Feedback imposes, by written contract, the same data-protection obligations on each Sub-Processor as set out in this DPA (Art. 28(4) GDPR). Pay4Feedback remains fully liable for the performance of Sub-Processor obligations.

6.4 Right to Object

If the Controller reasonably objects to a new Sub-Processor on data-protection grounds within 30 days of notification, the Parties shall cooperate in good faith to resolve the objection. If no resolution is reached, the Controller may terminate for convenience, with a pro-rata refund of unused subscription fees.

7. International Data Transfers

Where Processing involves transfer of Personal Data to a country outside the EU/EEA, Pay4Feedback shall ensure that such transfer is governed by:

an adequacy decision of the European Commission (Art. 45 GDPR), including the EU–US Data Privacy Framework adequacy decision of 10 July 2023; or
Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46 GDPR), together with supplementary measures where required by Schrems II.

8. Assistance with Data Subject Rights

Pay4Feedback shall assist the Controller by appropriate technical and organisational measures in responding to requests under Chapter III GDPR: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

The dashboard provides self-service tools to export, delete, and manage feedback data. For complex requests, Pay4Feedback responds within 5 business days at support@pay4feedback.com.

9. Personal Data Breach Notification

Pay4Feedback shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data breach, including:

Nature of the breach, categories and approximate number of Data Subjects and records concerned;
Likely consequences;
Measures taken or proposed to address the breach and mitigate its effects;
Name and contact details of the responsible person at Pay4Feedback.

The Controller remains responsible for notifying the supervisory authority (Art. 33 GDPR) and affected Data Subjects (Art. 34 GDPR).

10. Audits & Inspections

Pay4Feedback shall make available information necessary to demonstrate Art. 28 GDPR compliance, including a copy of this DPA, the TOMs summary (Annex B), and SOC 2 / ISO 27001 confirmations from infrastructure providers (AWS).

Enterprise customers may, once per year with 30 days’ notice, conduct a remote questionnaire-based audit at their own expense.

11. Return or Deletion of Data

At the end of the Services, Pay4Feedback shall, at the Controller’s choice, delete all Personal Data or return it (via CSV export) and then delete existing copies, unless EU/Member State law requires retention. Deletion occurs within 30 days of termination; encrypted backups are purged within 90 days.

12. Liability & Governing Law

The liability regime of the Pay4Feedback Terms of Service applies. This DPA is governed by German law, excluding the UN CISG. Exclusive jurisdiction: Stuttgart, Germany. Where a DPA provision and a Terms provision conflict, the one that better protects the Data Subject prevails.

Annex A — Approved Sub-Processors

As of the date of this DPA, Pay4Feedback uses the following Sub-Processors.

Amazon Web Services EMEA SARL — Application hosting, database (RDS), email (SES). Location: Frankfurt, Germany (eu-central-1). Safeguard: EU-based, SCCs for any US parent transfers, ISO 27001 / SOC 2.
Stripe Payments Europe, Ltd. — Payment processing. Location: Dublin, Ireland. Safeguard: EU-based, SCCs for US sub-processors, PCI-DSS Level 1.
Tremendous, LLC — End-user reward payouts. Location: New York, USA. Safeguard: EU–US Data Privacy Framework (Art. 45 GDPR).
Anthropic, PBC (opt-in, Enterprise only) — AI quality scoring where enabled. Location: USA. Safeguard: SCCs; zero-retention API mode (no data used for training).

Annex B — Technical & Organisational Measures (TOMs)

Pursuant to Art. 32 GDPR, Pay4Feedback implements the following measures:

B.1 Confidentiality

Role-based access control; least-privilege IAM on production systems.
Multi-factor authentication for all staff access to production infrastructure.
Staff bound by written confidentiality agreements.
Password hashing with bcrypt; no plaintext password storage.

B.2 Integrity

TLS 1.2+ for data in transit; HSTS enforced on public endpoints.
AES-256 encryption at rest for database and backups.
Signed JWT for session authentication with short expiry + refresh tokens.

B.3 Availability & Resilience

Daily automated RDS snapshots, retained 30 days.
AWS App Runner auto-scaling with health checks.
Target availability: 99.5% (Starter/Growth), 99.9% (Enterprise).

B.4 Restoration after Incident

Point-in-time recovery (RDS PITR) with 5-minute granularity.
Documented disaster recovery runbook. RPO ≤ 1 hour, RTO ≤ 4 hours.

B.5 Regular Testing

Automated CI pipeline with unit, integration, and security-scanning steps.
Quarterly dependency security audits.
Annual third-party penetration test (available to Enterprise customers on request).

B.6 Pseudonymisation

End-user IP addresses truncated before storage.
Internal analytics keyed on pseudonymous session IDs.

B.7 Physical Security

Production hosting is provided by AWS in eu-central-1 (Frankfurt), certified ISO 27001, SOC 1/2/3, PCI-DSS.