Last Reviewed & Updated: 19th February 2026, v1.3
This Data Processing Addendum (“DPA”) forms part of and supplements the one or more agreements (including any applicable statements of work, the “Agreement”) entered into between Dig Insights Inc. (“Dig Insights,” “Service Provider”, or “Processor”) and the applicable counterparty (“Customer” or “Client”).
This DPA sets out the terms and conditions that apply whenever Dig Insights processes Personal Data in connection with the Agreement. This DPA ensures that the processing of Personal Data is conducted in accordance with all Privacy Laws, that appropriate technical and organizational safeguards are maintained by the relevant parties, and that the rights of individuals whose Personal Data is being processed are respected.
Any capitalized terms not defined in Section 13 of this DPA shall have their meanings assigned to them as part of the Agreement.
This DPA applies when Dig Insights processes Personal Data provided by the Customer in connection with the Agreement. In this context, to the extent relevant under applicable Privacy Laws, Dig Insights will serve as the Processor for the Customer, who is identified as the Controller. These terms, as well as “Personal Data” and “Processing,” shall share the definitions provided under the General Data Protection Regulation [(EU) 2016/679] (“GDPR”) with respect to any Personal Data processed under the Agreement.
In certain circumstances, the Customer may be a Processor under applicable Privacy Laws, in which case the Customer appoints Dig Insights as its Subprocessor; this appointment shall not alter the obligations of either party under this DPA.
When using the Services provided by Dig Insights, such as self-service web applications, the Customer shall process Personal Data in accordance with the requirements of the Agreement and all applicable Privacy Laws. To the extent that Customer acquires Personal Data to be shared with or used in the Services provided by Dig Insights for processing, the Customer shall have the sole responsibility for the legality of the data and the means by which it was acquired.
Dig Insights shall process Personal Data only for the purpose of providing its Services to the Customer. The Customer provides the following instructions to Dig Insights with respect to processing the Personal Data:
a) All processing will be performed in accordance with the Agreement;
b) Authorized Users may initiate processing in their use of the Services according to the Agreement;
c) Ensure compliance with other reasonable instructions provided by Customer; and
d) Ensure compliance with all Privacy Laws.
Given the nature of the processing, the Customer acknowledges that it is unlikely for Dig Insights to become aware of inaccuracies or outdated information in the Personal Data transferred under the Agreement. However, if Dig Insights becomes aware of such issues, it will promptly inform the Customer and collaborate to correct or erase inaccurate or outdated Personal Data.
Dig Insights will promptly notify the Customer in writing if, in its opinion, the Customer’s instructions do not comply with all Privacy Laws.
Customer Data, including Personal Data, may also be processed by secure AI Systems that comply with all applicable laws, including the AI Laws. When used with AI Systems, Customer Data and Personal Data will be processed by Dig Insights personnel solely for data analysis as part of research activities. All processing will be completed by enterprise-grade AI Systems approved and agreed upon by Dig Insights and the Customer. Further, these AI Systems have been configured such that any input provided by Dig Insights or the Customer is not used for training or model improvement. Further details concerning the Use of AI Systems are described in Section 4 and Annex F of this DPA.
Dig Insights will not Re-identify or attempt to Re-identify any aggregated or de-identified Personal Data that is collected, received or otherwise processed by Dig Insights in connection with the Agreement, whether using AI Systems or otherwise, or authorize or permit any other person to Re-identify such data. Dig Insights will use contractual or other reasonable means to prevent employees, Subprocessors and other persons acting on behalf of Dig Insights from Re-identifying or attempting to Re-identify any such data.
Each party will comply with all laws, rules, and regulations applicable to it and binding upon it in the performance of this DPA, including AI Laws and Privacy Laws.
The parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Dig Insights’ processing of Personal Data (“Documented Instructions”). Dig Insights will process Personal Data only in accordance with the Documented Instructions. To the extent relevant under applicable Privacy Laws, if the Customer is acting as a Processor, such Documented Instructions may be based on the instructions of its Controllers.
Additional instructions outside the scope of the Documented Instructions, if any, require a prior written agreement between Dig Insights and the Customer, including an agreement on any additional fees payable by the Customer to Dig Insights for carrying out such instructions.
Customer is entitled to terminate this DPA and the Agreement if Dig Insights declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
Dig Insights will notify Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate Privacy Laws, in which case, Customer is entitled to withdraw or modify its Documented Instructions.
Dig Insights will store and process Personal Data using systems and processes supported by security controls designed to preserve the confidentiality of the data, meeting or exceeding the requirements of Privacy Laws.
Further details concerning these security controls are described in Annex B, which includes limitations and restrictions on how Dig Insights’ personnel can interact with Personal Data. Additionally, Dig Insights imposes appropriate contractual obligations on its personnel, including relevant obligations regarding confidentiality, data protection and security.
In support of these requirements, Dig Insights will ensure that all its personnel:
a) Are informed of the sensitive and confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
b) Have undertaken training on Privacy Laws relating to handling Personal Data and how it applies to their particular duties; and
c) Are aware of both Dig Insights’ duties and their personal duties and obligations under Privacy Laws and this DPA.
Personal Data will not be accessed, used, communicated, or disclosed to any Third-Party, except as strictly required to perform Dig Insights’ Services or carry out the Documented Instructions, except as required to comply with the law or a valid and binding order of a competent governmental body, as required. Without limiting the above, except where required by law, Dig Insights shall not communicate, disclose or otherwise share the Personal Data with any Third-Party other than Authorized Subprocessors in accordance with Section 8 of this DPA.
If a governmental body sends a request for Customer Data to Dig Insights, Dig Insights will attempt to redirect the governmental body to request that data directly from the Customer. Dig Insights may provide the Customer’s basic contact information to the governmental body as part of this effort. If compelled to disclose Personal Data to a governmental body, Dig Insights will provide the Customer with reasonable notice of the demand, allowing the Customer to seek a protective order or other appropriate remedy, unless Dig Insights is legally prohibited from doing so.
Dig Insights may employ AI Systems solely to assist human analysts in interpreting research data, generating insights, or producing summaries.
When AI Systems are employed to provide the Services and Deliverables under the Agreement, Dig Insights shall comply with all applicable laws, rules, and regulations concerning the use of AI Systems, including, but not limited to: AI Laws, Privacy Laws, marketing and telecommunications laws, copyright and other intellectual property laws, consumer protection laws, employee protection laws, human rights, anti-discrimination and civil-rights laws, laws concerning the use of data sets as inputs for AI Systems, laws and rules related to web-scraping, and laws concerning the use of outputs from AI Systems, as may be adopted, amended, modified, or replaced from time to time.
In the provision of Services to the Customer, Dig Insights will not:
a) engage in or cause the Customer to engage in any AI practices that are prohibited by AI Laws;
b) engage, develop, use, operate, provide, or deploy any AI System without the Customer’s prior authorization, in which case the terms of Annex F shall apply; or
c) use or enter Personal Data as inputs for an AI System without the Customer’s prior authorization, and such authorization shall specify whether Annex F applies.
All AI Systems used by Dig Insights operate within secure, enterprise-grade environments under contracts and configurations that prohibit data retention or model training on Customer Data, including Personal Data.
Dig Insights ensures that:
Dig Insights maintains internal documentation and audit trails describing its use of AI Systems and will provide reasonable information to the Customer, upon request, to demonstrate compliance with this clause.
Dig Insights shall implement, comply with, and maintain industry-leading security procedures, technical measures, and practices (including, if applicable, adherence to any code of conduct approved by relevant government authorities), appropriate to the nature of the information, in connection with any Confidential Information that is Processed in connection with the Services. Such measures shall include, at a minimum, establishing, implementing and at all times complying with and maintaining a comprehensive, written information security program consistent with, and applying protective security measures at least as stringent as, the most protective standards set forth in: (i) generally accepted technical industry standards (e.g., ISO/IEC 27001); and (ii) any applicable Laws, including Data Protection Laws (the “Information Security Program”).
The Information Security Program shall contain the following:
a) a written organizational information security governance structure that: (A) contains comprehensive practices and procedures that address the entire organizational process, both physical and technical, and that ensures ongoing adherence to applicable Laws, including Data Protection Laws, with accountability at the highest levels of senior management and executive staff; (B) requires publication of and training on the Information Security Program, on at least an annual basis, to and for all personnel and relevant Service Providers involved in Processing Personal Information; and (C) appropriate disciplinary measures for noncompliance with the Information Security Program;
b) administrative, logical, technical, and physical controls, including anonymization, pseudonymization, and/or encryption of Personal Data, that Dig Insights utilizes to: (A) monitor for, identify, assess, test, evaluate, and effectively protect against, internal and external risks to the security, availability, confidentiality, and/or integrity of Confidential Information, or to the legal rights of Data Subjects; and (B) ensure the security of Dig Insights’ Processing systems and services, with regular evaluation and testing of, and where appropriate, improvements to, the effectiveness of such controls; and
c) detective and corrective controls that are designed to promptly recognize, escalate, respond to, and minimize the adverse impact of Security Incidents and other incidents that threaten the security, availability, confidentiality, and/or integrity of Confidential Information; facilitate the gathering of forensic evidence; restore the security, availability, confidentiality, and/or integrity of Confidential Information; and make systematic improvements to Dig Insights’ management of data security risks as a consequence of any such incident.
Dig Insights shall implement, maintain, comply with, and enforce its Information Security Program at each location from which Dig Insights, or any Subprocessors, provides any part of the Services or from which access to Confidential Information, or to the systems on which Confidential Information is Processed, is possible. In addition, Dig Insights shall ensure that its Information Security Program covers all networks, systems, servers, computers, mobile phones, and other devices and media that Process Confidential Information.
Dig Insights shall actively coordinate with the Customer to ensure that it receives the minimum amount of Personal Data required in order to meet the terms of the Agreement and to provide its Services. Dig Insights will not retain Personal Data for longer than it is needed, and the maximum retention period of Personal Data is one year following the last date a file was accessed, at which point it will be securely and automatically deleted unless prohibited by applicable law (e.g., pursuant to a litigation hold or similar retention requirement).
During the engagement, the Customer may request that Dig Insights return or securely destroy Personal Data provided for processing under the Agreement. Dig Insights will perform these duties under the Customer’s direction, provided the Personal Data has not already been destroyed or is otherwise prevented by applicable law.
At the end of an Agreement’s term or upon the termination of the Services for which Dig Insights is processing Personal Data, Dig Insights shall return to the Customer or securely destroy any Personal Data provided by the Customer that has not already been deleted, unless otherwise prevented by Privacy Laws or subject to limitations in the Agreement.
If any law, regulation, or government or regulatory body requires Dig Insights to retain any documents, materials, or Personal Data that Dig Insights would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials, or Personal Data that it must retain, the legal basis for the retention, and establishing a specific timeline for the deletion or destruction once the retention requirement ends.
If Dig Insights processes Personal Data outside the jurisdiction where the relevant Data Subject(s) are located, Dig Insights will take any steps necessary to ensure that such cross-border data processing activities comply with, and are permitted under, applicable Privacy Laws. Dig Insights will also reasonably cooperate with Customer to facilitate Customer’s compliance with any cross-border data processing requirements that apply to Customer under the Privacy Laws.
Dig Insights agrees to comply with and ensure that each Subprocessor complies with Privacy Laws and Documented Instructions with respect to any Restricted Transfer made by the Customer. Dig Insights acknowledges and agrees that the Customer may, from time to time, require that Dig Insights or a Subprocessor agree to contractual provisions with respect to Restricted Transfers to ensure adequate safeguards for the privacy of all Data Subjects.
Dig Insights will obtain the prior written authorization of the Customer prior to any Restricted Transfer by Dig Insights to a Subprocessor for Processing in a location that is not listed in Annex A and Annex C. Dig Insights will ensure and require that each Subprocessor ensure that all Restricted Transfers authorized pursuant to this Section 7 comply with Privacy Laws, including as set forth in Annex E.
In the event that Privacy Laws impose restrictions on the cross-border transfer of Personal Data that are not contemplated herein, the Parties agree to meet in good faith to complete any formalities and enter into any documents, including amendments to the Agreement and this DPA, as may be required by such Privacy Laws.
As described in the Agreement, the Customer has provided their general authorization and consent to Dig Insights to use subprocessors in delivering its Services. Where these sub-processors provide services to Dig Insights that involve processing activities on Personal Data on its behalf, these activities will be subject to the terms of this DPA and Dig Insights’ Supplier Code of Conduct.
A list of all Subprocessors currently engaged by Dig Insights is publicly available on our Trust Center at https://trust.diginsights.com/. At least 30 days before engaging a new Subprocessor, Dig Insights will update the applicable website and provide the Customer with a mechanism to obtain notice of such update. To object to a Subprocessor, Customer can, as its sole and exclusive remedy, terminate the Agreement pursuant to its terms.
Where Dig Insights authorizes a Subprocessor as described in Section 8.1:
1) Dig Insights will restrict the Subprocessor’s access to Personal Data only to what is necessary to provide or maintain the Services, and Dig Insights will prohibit the Subprocessor from accessing or otherwise processing Personal Data for any other purpose;
2) Dig Insights will enter into a written agreement with the Subprocessor and Dig Insights will impose on the Subprocessor the same contractual obligations that Dig Insights has under this DPA;
3) Dig Insights will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Dig Insights to breach any of Dig Insights’ obligations under this DPA; and
4) Dig Insights will take appropriate steps to ensure that the Subprocessors will Process Personal Data in compliance with the Privacy Laws and this DPA, including undertaking appropriate diligence when selecting Subprocessors and exercising appropriate oversight with respect to its Subprocessors.
Dig Insights shall assist the Customer by implementing appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer’s obligations, to enable the Customer to respond to requests to exercise Data Subject rights under the Privacy Laws. This includes, but is not limited to, Data Subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data.
Dig Insights will comply with information or assessment notices served on the Customer by the relevant Supervisory Authority under the Privacy Laws.
To support the Customer’s obligations, Dig Insights shall:
a) Promptly, and in any event within two business days, notify the Customer if it receives a request from a Data Subject under any Privacy Laws in respect of the Personal Data and/or any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with Privacy Laws; and
b) Ensure that it does not respond to any request from a Data Subject except on the Documented Instructions of the Customer or as required by the Privacy Laws to which Dig Insights is subject, in which case, Dig Insights shall, to the extent permitted by Privacy Laws, inform the Customer of that legal requirement before responding to the request.
Dig Insights will notify the Customer of a Security Incident without undue delay, and no later than 72 hours after becoming aware of it, Dig Insights will promptly take appropriate measures to contain, address, and remediate the Security Incident, including measures to mitigate any adverse effects, and to prevent future similar incidents. Dig Insights will provide the Customer with regular updates on the Security Incident, including any Third-Party-led investigation, and will advise on the outcome.
A Security Incident includes, but is not limited to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, use, or access to, Customer Data or Personal Data; any unauthorized access to Dig Insights’ systems or facilities that store or process such data; or any other breach of the protection of Personal Data.
For clarity, the term Security Incident also includes any Data Breach, defined as a confirmed event resulting in the unauthorized access, acquisition, disclosure, use, or loss of Personal Data in violation of Privacy Laws.
Dig Insights’ obligation to report or respond to a Security Incident under this Section 10 is not and will not be construed as an acknowledgement by Dig Insights of any fault or liability of Dig Insights with respect to the Security Incident.
To enable Customer to notify a Security Incident to Supervisory Authorities or Data Subjects, as applicable, Dig Insights will cooperate with and assist Customer, including by providing any information that the Customer reasonably requests to assess and comply with its obligations under Privacy Laws and/or to respond to questions and concerns from such Supervisory Authorities and Data Subjects.
Unless required by Privacy Laws, the Customer agrees that an unsuccessful Security Incident will not be subject to this Section 10. An unsuccessful Security Incident results in no unauthorized access to or disclosure of, use, or loss of Customer Data or Personal Data, or to any of Dig Insights' equipment and systems storing Customer Data or Personal Data. An unsuccessful Security Incident could include, without limitation, ping and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denial-of-service attacks, packet sniffing, or similar incidents.
Notification(s) of Security Incidents, if any, will be delivered to one or more of the Customer’s administrators by any means Dig Insights selects, including via email. It is the Customer’s sole responsibility to ensure the Customer’s administrators maintain accurate contact information with Dig Insights and secure transmissions at all times.
If Dig Insights notifies Customer of a Security Incident, or Customer otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, Customer will be responsible for determining if there is any resulting notification or other obligation under Applicable Privacy Law and taking necessary action to comply with those obligations. This does not limit Dig Insights’ obligations under Privacy Laws; provided, however, that Dig Insights shall not name Customer in any notices, reports or communications about the Security Incident that Dig Insights is required to deliver pursuant to such laws without Customer’s prior approval, which will not be unreasonably withheld.
In addition to the information contained in this DPA, upon the Customer’s request and provided that the parties have an applicable Non-Disclosure Agreement (“NDA”) in place, Dig Insights will make available its operational policies and procedures associated with its internal management systems aligned with the requirements of the AICPA’s System and Organization Controls (“SOC”) standard and the ISO 20252, and ISO 27001 standards.
Clients may request these documents directly from Dig Insights’ Trust Center at https://trust.diginsights.com/ or by contacting the Digital Trust team at trust@diginsights.com. This documentation may include external audit reports, certificates, and internal documentation describing the implemented controls.
Dig Insights uses external auditors to verify the adequacy of its security measures and alignment with industry standards. These audits are performed at least annually, according to the requirements of ISO standards and the SOC 2 framework, by independent third-party security professionals at Dig Insights’ selection and expense and will result in the generation of an audit report (“Report”), which will be Dig Insights’ Confidential Information. Such Reports will be made available to the Customer upon request.
In addition to ISO and SOC audits, Dig Insights also conducts external penetration testing annually on its SaaS applications to verify their security and address potential vulnerabilities. The reports from these external penetration tests are also available upon request, subject to a signed NDA.
Dig Insights will permit the Customer or a representative to audit Dig Insights’ compliance with this DPA, on at least seven days notice. Dig Insights will provide the Customer with all necessary assistance to conduct such audits. Where such an audit occurs, the Customer shall bear all of its own costs of conducting the audit or those of its representative. The assistance may include, but is not limited to:
a) Remote electronic access to, and copies of the records and any other information held on systems storing the Personal Data;
b) Access to and meetings with any of the Company’s personnel reasonably necessary to provide all explanation and perform the audit effectively; and
c) Inspection of all records and the infrastructure, electronic data or systems, facilities, equipment or application software used to store and process the Personal Data.
The notice requirements described above will not apply if (i) the Customer reasonably believes that a Personal Data Breach occurred, (ii) Dig Insights is in breach of any of its obligations under this DPA or any Privacy Laws, or (iii) if such audit is mandated by the relevant Supervisory Authority.
If a Personal Data Breach occurs or is occurring or Dig Insights becomes aware of a breach of any of its obligations under this DPA or any Privacy Laws, Dig Insights will:
a) Notify the Customer promptly as detailed above;
b) Promptly conduct its own audit to determine the cause;
c) Remedy any deficiencies identified by the audit within thirty (30) days.
Upon the Customer’s reasonable request, Dig Insights shall provide the Customer with commercially reasonable cooperation and assistance needed to fulfill the Customer’s obligation under the Privacy Laws to carry out a data protection impact assessment, privacy impact assessment, threat impact assessment, algorithmic impact assessment, or transfer impact assessment, or similar assessment described under applicable Privacy Laws related to the Customer’s use of the Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent that such information is available to or could be obtained by Dig Insights.
Dig Insights shall provide commercially reasonable assistance to the Customer, in cooperation with or prior consultation with the Supervisory Authority, to the extent required under the GDPR or other Privacy Laws.
The data protection obligations in the Agreement between Dig Insights and the Customer, including the obligations described under the attached annexes, shall continue for as long as Dig Insights, or any of its Subprocessors, continue to process Personal Data, even if all agreements between Dig Insights and the Customer have expired or been terminated.
Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
“AI Laws” means all artificial intelligence (AI) laws and regulations applicable to the parties, including but not limited to the EU AI ACT, and any other relevant laws governing the use and operations of AI Systems. AI Laws shall also include the Privacy Laws, as interpreted by relevant Supervisory Authorities, as such laws apply to the processing of Personal Data by AI Systems.
“AI Model” means the underlying algorithmic or machine-learning component used by an AI System to generate outputs.
“AI System(s)” means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
“Canadian Privacy Laws” means the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (Canada), the Personal Information Protection Act, SA 2003, c P-6.5 (Alberta), the Personal Information Protection Act, SBC 2003, c 63 (British Columbia), and the Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (Quebec), each as amended, replaced and interpreted from time-to-time and together with the regulations thereto.
“Controller”, “Data Subject”, “Processor”, “Process/Processes/Processed/Processing”, “Sensitive Personal Information”, and “Supervisory Authority,” whether or not capitalized herein, shall have the meaning ascribed to them under the General Data Protection Regulation [(EU) 2016/679] (“GDPR”). The definitions for these terms may otherwise have the meaning ascribed to them under applicable Privacy Laws, where processing occurs in a jurisdiction where these terms offer unique or more prescriptive definitions.
“Customer Data” means all data, information, or materials, including Personal Data, provided by or on behalf of the Customer to Dig Insights under the Agreement.
“Digital Trust Team” means the internal Dig Insights group responsible for data protection, information security, and compliance oversight.
“Documented Instructions” means the documented directions provided by the Customer to Dig Insights specifying how Customer Data and Personal Data are to be processed.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Information Security Program” means Dig Insights’ documented framework of technical and organizational measures designed to protect Customer Data, as referenced in Annex B.
“Non-Disclosure Agreement” or “NDA” means any confidentiality agreement executed by Dig Insights and the Customer.
“Personal Data” shall have the meaning assigned to the terms “personal information” and/or “personally identifiable information” and/or “personal data” under applicable Privacy Laws and shall, at a minimum, mean any information relating to an identified or identifiable natural person. Personal Data shall also include, without limitation, the Personal Data listed in Annex A. For clarity, references to Personal Data in this DPA mean: (1) the Personal Data provided by the Customer to Dig Insights; and (2) any Personal Data collected by Dig Insights on behalf of the Customer.
“Privacy Laws” means all data protection and privacy laws applicable to the parties, including but not limited to GDPR, UK GDPR, Canadian Privacy Laws, US Privacy Laws, and any other relevant laws governing the processing of Personal Data.
“Restricted Transfer” means a cross-border transfer or other disclosure of Personal Data that is restricted by Privacy Laws because the disclosure is made to a person or entity located in a jurisdiction which a competent government or regulatory authority or the Customer as a Controller determines does not ensure the same or higher level or data protection as the jurisdiction from which the Personal Data originates (“Originating Jurisdiction”).
“Security Incident” or “Incident” means any actual or suspected event that compromises or may compromise the confidentiality, integrity, or availability of Customer Data or Personal Data processed by Dig Insights or its Subprocessors.
“Subprocessor” means any third party engaged by Dig Insights that processes Personal Data on Dig Insights’ behalf in connection with the Services.
“Third-Party” means any natural or legal entity other than Dig Insights, the Customer, or their respective employees or agents.
“Trust Center” means Dig Insights’ public-facing information and documentation portal, accessible at https://trust.diginsights.com/
“US Privacy Laws” means all applicable federal and state data protection and privacy laws and regulations of the United States, including, without limitation, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”); the Colorado Privacy Act, C.R.S. § 6-1-1301 et seq.; the Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq.; the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.; the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.; and any other similar comprehensive state privacy or data protection laws enacted in the United States, each as amended, replaced, superseded, or interpreted from time to time, together with any regulations promulgated thereunder.
Categories of Data Subjects: Research participants
Categories of Personal Data
The Personal Data processed under this Agreement shall include the following categories:
Nature & Purpose of Processing: To enable Dig Insights to provide the Services in accordance with the Agreement.
Types of Data Processing
The types of data processing performed by Dig Insights include:
Location(s) of Processing
Frequency & Duration of Processing
The frequency and duration of the Processing will be the same as the duration of the Agreement, except as otherwise set forth below or agreed in writing by the Parties.
Specific retention or destruction requirements (if any):
This Annex summarizes the technical and organizational measures (TOMs) Dig Insights maintains to protect the security, confidentiality, integrity, and availability of Customer Data processed under the Agreement.
Dig Insights shall maintain its compliance with and continuously improve its Information Security, Quality, and Privacy Management Systems to ensure that its operations, controls, and processes continue to meet or exceed the requirements of applicable Privacy Laws and industry standards, as required by this DPA and the Agreement with the Customer.
In supporting these TOMs, Dig Insights’ security control framework shall be aligned with ISO 27001, ISO 27701, ISO 42001, and the SOC 2 principles.
Minimum Assurances under this DPA
Regardless of the internal policy references provided in Annex G, Dig Insights guarantees that:
Certification and Audit
Dig Insights shall maintain annual audit and certification processes with independent, accredited auditors to validate and attest to its compliance with the described ISO and SOC requirements. These audit bodies shall provide detailed reports and certificates, which will be made available to the Customer upon request, upon execution of a signed and authorized NDA.
External penetration testing of Dig Insights’ SaaS applications shall be performed annually to validate the effectiveness of the TOMs. Upon the Customer’s request, and subject to NDA, Dig Insights will provide executive summaries of these reports as proof of compliance.
Policy Governance and Continuous Improvement
Dig Insights shall review the TOMs, including the governance policies, at least annually or after material organizational or regulatory changes. Where changes or updates are required to any of the TOMs or policies, Dig Insights shall ensure that such changes or updates do not reduce the overall level of protection provided to the Customer and their data.
Reference Documentation and Availability
Dig Insights shall maintain a Trust Center or equivalent system where Customers can review the current certifications, security controls, supporting documentation, and a list of Subprocessors. This Trust Center shall include all reference documentation referenced in this DPA and its annexes, and be made available to Customers or regulators under NDA. The Trust Center is available at: https://trust.diginsights.com/
Reference documentation and supporting evidence may also be supplied to interested parties who submit a reasonable written request and execute a signed and authorized NDA.
The Subprocessors described below are identified as key service providers crucial to Dig Insights’ ability to provide the Services and Deliverables described under the Agreement.
The Subprocessors in the following section are authorized to support core business operations and the Consultative Services provided under the Agreement.
Microsoft Corporation
1 Microsoft Way, Redmond, WA, USA 98052
Services Provided: Email and File Management Systems
Location of Processing: Canada
Data Categories Processed: All stored data and business communications
Other Processing Details (If any):
OpenAI, L.L.C.
1455 3rd Street, San Francisco, CA, USA 94158
Services Provided: ChatGPT Enterprise
Location of Processing: Canada
Data Categories Processed: De-identified and/or Pseudonymized text only
Other Processing Details (If any): Dig Insights personnel are provided enterprise-grade access to ChatGPT Enterprise and may use this to assist with day-to-day business operations. Functions are limited by security controls implemented across the enterprise tenant.
Where the Services include Dig Insights’ SaaS products, the following Subprocessors will be authorized in addition to the primary Subprocessors described above:
Amazon Inc. (Amazon Web Services)
410 Terry Avenue North, Seattle, WA, USA 98109
Services Provided: Cloud infrastructure for SaaS applications
Location of Processing: Canada
Data Categories Processed: De-identified and/or Pseudonymized text. Audio & Video interactions through the Moderator module.
Other Processing Details (If any):
Cint AB
IOFFICE Business Center Drottninggatan 32, 4 tr, Stockholm, Sweden 111 51
Services Provided: Marketplace of respondents for survey recruitment
Location of Processing: Canada
Data Categories Processed: Contact and demographic information
Other Processing Details (If any): Cint acts as a Data Controller for their research panels, passing along interactions with marketplace respondents via API to Dig Insights’ SaaS applications. Dig Insights and the Customer will never be provided access to any details about these Data Subjects, besides pseudonymized responses from the survey interactions.
Intercom Inc.
55 2nd Street, 4th Fl., San Francisco, CA, USA 94105
Services Provided: In-application Customer Support
Location of Processing: United States of America
Data Categories Processed: Contact details for the Customer personnel requesting assistance
Other Processing Details (If any):
OpenAI, L.L.C.
1455 3rd Street, San Francisco, CA, USA 94158
Services Provided: ChatGPT Enterprise & OpenAI’s APIs
Location of Processing: Canada
Data Categories Processed: De-identified and/or Pseudonymized text. Audio & Video interactions through the Moderator module.
Other Processing Details (If any): Dig Insights uses the APIs provided by OpenAI’s Enterprise license to power our AI Systems. These systems are designed and controlled as described in Section 4 and Annex F of this DPA.
This Annex summarizes Dig Insights’ commitment and requirements in detecting, responding to, and reporting Security Incidents involving Customer Data processed under the Agreement.
Dig Insights shall maintain its compliance with and continuously improve its Information Security, Quality, and Privacy Management Systems to ensure that its operations, controls, and processes continue to meet or exceed the requirements of applicable Privacy Laws and industry standards, as required by this DPA and the Agreement with the Customer.
In support of Privacy Laws, Dig Insights shall maintain the necessary personnel and processes to comply with requirements regarding Data Breaches and Security Incidents. This shall include timely written notifications to the Customer at the address of their choosing.
Minimum Assurances under this DPA
Regardless of the internal policy references provided in Annex G, Dig Insights guarantees that:
Policy Governance and Continuous Improvement
Dig Insights shall review the approach and processes for managing Security Incidents at least annually or after material organizational or regulatory changes. Where changes or updates are required to any of the Security Incident processes or policies, Dig Insights shall ensure that such changes or updates do not reduce the overall level of protection provided to the Customer and their data.
Reference Documentation and Availability
Dig Insights shall maintain a Trust Center or equivalent system where Customers can review the current certifications, security controls, supporting documentation, and a list of Subprocessors. This Trust Center shall include all reference documentation referenced in this DPA and its annexes, and be made available to Customers or regulators under NDA. The Trust Center is available at: https://trust.diginsights.com/
Reference documentation and supporting evidence may also be supplied to interested parties who submit a reasonable written request and execute a signed and authorized NDA.
Without limiting the generality of Section 7 of the DPA, Dig Insights agrees to the following contractual clauses and other requirements with respect to any actual or planned Restricted Transfer.
Cross-border Data Transfers
1. Adequacy Decision(s). For the avoidance of doubt, the cross-border data transfer (“Transfer”) mechanisms below shall not apply to the extent that Privacy Laws have deemed the Transfer is to an adequate country (“Adequacy Decision”).
2. EU SCCs. Except as otherwise set forth in this paragraph, the appropriate module set forth in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “SCCs”), as may be amended from time to time, will apply to: (i) any Transfer of Personal Data that is subject to the GDPR (or was subject to the GDPR prior to its transfer to the data exporter) to a data importer located outside of the European Economic Area (“EEA”); and (ii) any Transfer of Personal Data that is subject to the laws of a country outside the EEA in which the competent authority has approved the use of the SCCs, including but not limited to Japan and Switzerland, (each, an “Adopting Country”) (or was subject to the laws of the Adopting Country prior to its Transfer to the data exporter) to a data importer located outside of the Adopting Country.
a. If the Transfer is from a data exporter acting as a Controller to a data importer acting as a Processor, the transfer will be governed by the SCCs (Module 2 – Controller to Processor).
b. If the Transfer is from a data exporter acting as a Processor to a data importer acting as a Processor, the transfer will be governed by the SCCs (Module 3 – Processor to Processor).
c. Where the Transfer relates to Personal Information subject to GDPR, the parties agree:
i. The contents of Annex A and Annex B to the DPA shall form Annex I and Annex II to the SCCs, respectively.
ii. Clause 7 (Docking Clause) of the SCCs applies.
iii. Before disclosing a copy of the SCCs pursuant to transparency (namely, Clause 8.2 in Module 1, and Clause 8.3 in Modules 2 and 3), the disclosing party must use commercially reasonable efforts to redact all commercial terms but provide a meaningful summary if the data subject would otherwise not be able to exercise their rights as a result of the redaction.
iv. Per Clause 9(a) of the SCCs, the data exporter hereby provides a general authorization (Option 2) for the Processing of Personal Data as set forth in the DPA. The data importer shall specifically inform the data exporter in writing of any intended change to Sub-Processors as set forth in the DPA.
v. For Clause 13 (Supervision), Annex I.C (Supervisory Authority), Clause 17 (Governing law – Option 1), and Clause (18) (Choice of forum and jurisdiction) of the SCCs, the parties elect the supervisory authority, laws, and courts of Belgium.
Adopting Countries (e.g., Switzerland, Japan, etc.) SCCs
3. Where the Transfer relates to Personal Data subject to the Privacy Laws of an Adopting Country, the parties agree:
a. All references in the SCCs to “Union”, “EU,” “Member State”, “General Data Protection Regulation”, will be interpreted as references to the Adopting Country and its relevant laws;
b. For Clause 13 (Supervision), Annex I.C (Supervisory Authority), Clause 17 (Governing law – Option 1), and Clause (18) (Choice of forum and jurisdiction) of the SCCs, the parties elect the supervisory authority, laws, and courts of the Adopting Country.
UK GDPR SCCs
4. Where the Transfer of Personal Information is subject to the Privacy Laws of the United Kingdom (including the UK General Data Protection Regulation), the parties agree:
a. The standard data protection clauses, Version A1.0, in force 21 March 2022, issued by the Information Commissioner’s Office (“ICO”) under the UK GDPR (“UK SCCs” or “IDTA”), as may be amended from time to time, shall apply in full; and
b. The contents of Annex I and Annex II to the DPA shall form Tables 1-4 to the UK SCCs.
For Transfers subject to the Privacy Laws of the People’s Republic of China
5. Where the Transfer relates to Personal Data subject to the Personal Information Protection Law (“PIPL”) of the People’s Republic of China (“China”), the Parties agree that Dig Insights shall not transfer any Personal Data outside of China, unless Dig Insights obtains the prior written authorization of the Customer. For the avoidance of doubt, where applicable, Dig Insights is deemed to have obtained authorization of the Customer to transfer Personal Data to the location(s) outside of China that is/are listed in Annex A and Annex C. Dig Insights agrees to assist the Customer in complying with their obligations under applicable Privacy Laws of China.
Other SCCs or MCCs (e.g., Abu Dahbi Global Market, New Zealand, RIPD, etc.)
6. Where the Transfer of Personal Data is subject to a Privacy Law in a jurisdiction that has adopted other standard contractual clauses, model contractual clauses, or functionally equivalent contracts, as a valid international data transfer mechanism (“Other Contractual Clauses” or “OCCs”), the parties agree:
a. The mandatory terms of the OCCs applicable to controller-to-processor data transfers shall apply in full;
b. Annex I to this DPA accurately describes the parties and data processing for purposes of the OCCs;
c. The supervisory authority, governing law, choice of forum and jurisdiction shall be as mandated in the OCCs or, if left to parties’ election, the laws where the Personal Data was collected;
d. Annex B to the DPA (Technical and Organizational Measures) accurately describes the technical, security and other organizational measures for the protection of Personal Data under the OCCs;
e. Annex C to this DPA accurately describes the Sub-Processors. The data exporter hereby provides a general authorization for the Processing of Personal Data as set forth in the DPA. The data importer shall specifically inform the data exporter in writing of any intended change to Sub-Processors as set forth in the DPA; and
f. If, and only to the extent, the OCCs include non-mandatory provisions not already addressed in the DPA, the parties will cooperate in good faith to negotiate and execute the OCCs to address such provisions if necessary to effectuate the validity of the OCCs as a transfer mechanism.
Without limiting the generality of Section 4 of the DPA, Dig Insights shall adhere to the following clauses when processing Personal Information under the Agreement in connection with an AI System that has been authorized by the Customer in accordance with Section 4 of the DPA.
Regulatory Compliance
As reasonably practicable, Dig Insights will not engage, develop, use, operate, provide, or deploy any AI System in connection with its performance of the Agreement without obtaining the Customer’s prior authorization.
In the performance of its obligations under the Agreement, Dig Insights will comply with:
a) all Customer AI Polices; and
b) all AI Laws.
Dig Insights will not carry out any actions that would cause the Customer to breach or infringe any AI Laws. Dig Insights will reasonably cooperate and assist the Customer with meeting its compliance obligations related to all AI Laws.
Dig Insights warrants and represents that the AI System used or provided under the Agreement is designed, developed, and tested in a way that ensures that its operation is compliant with AI Laws and the Customer’s use of the AI System or products and deliverables generated by the AI System would not cause the Customer to breach or infringe any AI Laws.
Dig Insights will only process Personal Information in connection with the AI System used or provided under the Agreement in accordance with the Customer’s Documented Instructions. Dig Insights will immediately notify the Customer if it believes that the Customer’s instructions violate any AI or Privacy Laws.
Technical Documentation
Upon request, Dig Insights will provide to the Customer technical documentation and accompanying instructions for use for that AI System in an appropriate digital format or otherwise that is in compliance with AI Laws and include concise, complete, correct, up-to-date, and clear information that is relevant, accessible, and comprehensive to the Customer to enable it to use or operate the AI System appropriately throughout its lifecycle. Dig Insights shall ensure that such technical documentation and accompanying instructions for use remain up to date.
Training of AI Systems
Dig Insights will not carry out any training, validation, or otherwise develop its AI System or the underlying AI Model using Customer Data. AI Systems utilized or developed by Dig Insights as part of the Agreement shall use configurations that disable the AI System's ability to train using the provided inputs. The underlying AI Models shall be provided by an authorized Third-Party who must comply with AI Laws and industry standards regarding the lawfulness, accuracy, non-bias, non-discrimination, and transparency requirements for responsible and ethical AI.
Transparency and Explainability in decisions or outputs
Dig Insights will ensure and will continue to ensure that the AI System used or provided under the Agreement is designed, developed, and tested in a way that ensures that its operation is sufficiently transparent and interpretable, including ensuring that its outputs can be traced back to the relevant input data and information is provided to natural persons in a clear and distinguishable manner at the latest at the time of the first interaction or exposure that they are interacting with the AI System and outputs are marked in a machine-readable format, detectable, and disclosed as artificially generated or manipulated.
The technical documentation and accompanying instructions of use provided by Dig Insights, pursuant to the Technical Documentation section of this Annex F, must contain information that allows the Customer to:
a) understand the logic behind an individual output from the AI System; and
b) provide meaningful information about the logic involved in the AI System for the purposes of satisfying any applicable transparency or explainability requirements under AI Laws.
Using an AI System to provide services
Where Dig Insights uses an AI System to provide services to the Customer under the Agreement, Dig Insights must:
a) not use such AI System to augment or inform decisions impacting individuals;
b) conduct human review and verification of any output generated by the AI System to ensure the output is accurate, free of any hallucinations, not misleading, and not biased or discriminatory of any legally protected characteristics; and
c) not cause the Customer to breach or infringe any AI Laws.
Human Oversight
Dig Insights will ensure and will continue to ensure that the AI System used or provided under the Agreement is designed, developed, and tested in a way that natural persons can effectively oversee it during the period for which the AI System is in use, including through the provision of appropriate human-machine interface tools and instructions.
Ongoing Monitoring and Record Keeping
Dig Insights will ensure that ongoing monitoring and testing of the AI Systems used or provided under the Agreement is conducted to ensure its accuracy, lawfulness, non-discriminatory output, and that it continues to function as intended.
Dig Insights will ensure that detailed, accurate, and up-to-date records are maintained in relation to the ongoing monitoring and testing of the AI System used or provided under the Agreement. Copies of these records will be provided to the Customer upon request.
Robustness and Security
Dig Insights will continue to ensure that the AI System used or provided under the Agreement is designed, developed, and tested in a way that, appropriate to relevant circumstances and risks, it will be resilient against attempts by unauthorized third-parties to alter their use, outputs, or performance by exploiting system vulnerabilities, including where appropriate, measures to prevent, detect, respond to, resolve, and control for attacks trying to manipulate the training data set (data poisoning), or pre-trained components used in training (model poisoning), inputs designed to cause the AI model to make a mistake (adversarial examples or model evasion), confidentiality attacks, or model flaws.
Incident Reporting
In connection with the processing of Personal Information, Dig Insights will provided notification to the Customer through their preferred contact method within twenty-four (24) hours after becoming aware of any event, circumstances, or series of events where the development, use, or malfunction of the AI System used or provided under the Agreement directly or indirectly leads to (collectively described as an “AI Incident”):
a) death of a person, or injury or harm to the health of a person or groups of people;
b) disruption of the management and operation of critical infrastructure;
c) violations of human rights or a breach of obligations under the applicable law intended to protect fundamental, labour, and intellectual property rights; and
d) harm to property, communities, or the environment.
Dig Insights will investigate and support the AI Incident process using the Incident Response procedures referenced in Annex G. These procedures shall include the necessary steps to keep the Customer informed of the status of the AI Incident, the steps being taken to identify and resolve the incident, and any additional requirements necessary for Dig Insights and the Customer to fulfil their requirements under AI Laws.
The following reference documentation is designed and implemented by Dig Insights in alignment with its obligations under various laws and industry standards to ensure an adequate level of trust with the Customer. These documents meet the requirements of the AICPA SOC 2, ISO 20252, and ISO 27001 standards.