Data Processing Agreement¶
Effective Date: March 5, 2026 Last Updated: March 5, 2026 Version: 1.0
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Askalot ("Processor," "we," "us") and the Customer ("Controller," "you") and governs the processing of personal data by Askalot on behalf of the Customer pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
By using Askalot's services, this DPA automatically applies. No separate signature is required.
1. Definitions¶
Terms not defined here have the meanings given in the GDPR or the Agreement.
- "Customer Personal Data" means any personal data processed by Askalot on behalf of the Customer in connection with the Services.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Services" means the Askalot survey platform, including all features, APIs, and MCP interfaces.
- "Sub-processor" means any third party engaged by Askalot to process Customer Personal Data.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
- "Technical and Organizational Measures" ("TOMs") means the security measures described in Appendix 2.
2. Scope and Roles¶
2.1 Relationship of the Parties¶
The Customer acts as the Data Controller determining the purposes and means of processing. Askalot acts as the Data Processor processing Customer Personal Data solely on behalf of the Customer.
2.2 Scope of Processing¶
Askalot processes Customer Personal Data only to provide the Services as described in Appendix 1. The categories of data subjects, types of personal data, and purposes of processing are set out in Appendix 1.
2.3 Governing Law¶
This DPA is governed by the laws of the Republic of Austria. The courts of Vienna have exclusive jurisdiction.
3. Customer Obligations¶
The Customer warrants that:
- It has a lawful basis (e.g., consent, legitimate interest) for collecting and processing personal data through the Services
- It has provided adequate notice to Data Subjects about data collection, including privacy notices that reference the use of Askalot as a processor
- It has obtained all necessary consents from survey respondents before collecting their data
- It will respond to Data Subject requests from survey respondents, as the Controller is responsible for fulfilling such requests
- Any instructions given to Askalot for processing comply with applicable data protection laws
4. Processor Obligations¶
4.1 Processing Instructions¶
Askalot shall:
- Process Customer Personal Data only on the Customer's documented instructions, including transfers to third countries, unless required by EU or member state law — in which case Askalot will inform the Customer before processing (unless prohibited by law)
- Immediately inform the Customer if, in Askalot's opinion, an instruction infringes the GDPR or other applicable data protection law
4.2 Confidentiality¶
All Askalot personnel authorized to process Customer Personal Data are bound by confidentiality obligations. Access to Customer Personal Data is restricted to personnel who require it to perform the Services.
4.3 Security Measures¶
Askalot implements and maintains the Technical and Organizational Measures described in Appendix 2, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.
4.4 Data Subject Rights¶
Askalot shall assist the Customer in responding to Data Subject requests under GDPR Articles 15–22, including requests for access, rectification, erasure, restriction, portability, and objection, by:
- Promptly forwarding any Data Subject request received directly by Askalot to the Customer
- Providing technical capabilities (API, UI) for the Customer to fulfill requests independently
- Providing reasonable cooperation where the Customer cannot fulfill requests without Askalot's assistance
4.5 Data Protection Impact Assessments¶
Askalot shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (Article 35) and prior consultations with supervisory authorities (Article 36), to the extent that Askalot's processing activities are relevant.
4.6 Records of Processing¶
Askalot maintains records of processing activities carried out on behalf of the Customer, as required by Article 30(2) GDPR. These records are available to the Customer and supervisory authorities upon request.
5. Security Incident Notification¶
5.1 Notification¶
Askalot shall notify the Customer of any Security Incident without undue delay, and in any event within 72 hours of becoming aware of the incident. Notification shall include:
- A description of the nature of the incident, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of Askalot's point of contact
- A description of the likely consequences of the incident
- A description of the measures taken or proposed to address the incident
5.2 Cooperation¶
Askalot shall cooperate with the Customer and take reasonable measures to assist in the investigation, mitigation, and remediation of the Security Incident. Askalot shall provide updates as additional information becomes available.
5.3 No Assessment of Impact¶
Notification under this Section does not constitute an acknowledgement of fault or liability. The Customer remains responsible for assessing the impact and determining whether to notify supervisory authorities (Article 33) or Data Subjects (Article 34).
6. Sub-processors¶
6.1 General Authorization¶
The Customer provides general authorization for Askalot to engage Sub-processors to process Customer Personal Data, subject to the conditions in this Section.
6.2 Current Sub-processors¶
The current list of Sub-processors is set out in Appendix 3. Askalot maintains the list at https://docs.askalot.io/about/data-processing-agreement/#appendix-3-sub-processors.
6.3 Notification of Changes¶
Askalot shall notify the Customer at least 30 days before adding or replacing a Sub-processor. Notification is provided via email to the Customer's registered account address and by updating the Sub-processor list.
6.4 Objection Right¶
The Customer may object to a new or replacement Sub-processor on reasonable grounds within 30 days of notification. If the Customer objects:
- Askalot shall make reasonable efforts to provide the Services without using the objected-to Sub-processor
- If Askalot cannot reasonably provide the Services without the Sub-processor, either party may terminate the affected portion of the Agreement with 30 days' notice
- Termination under this clause does not affect any pre-paid fees for the terminated period
6.5 Sub-processor Obligations¶
Askalot shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA. Askalot remains fully liable for the acts and omissions of its Sub-processors.
7. International Data Transfers¶
7.1 Processing Location¶
Askalot processes all Customer Personal Data within the European Union. Infrastructure is hosted in EU data centers. No Customer Personal Data is transferred outside the EU for core service operations.
7.2 Transfer Safeguards¶
If a transfer of Customer Personal Data outside the EU becomes necessary (e.g., due to a Sub-processor change or Customer instruction), Askalot shall ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Sub-processor) as applicable
- Adequacy decisions by the European Commission
- Other approved transfer mechanisms under GDPR Article 46
7.3 Supplementary Measures¶
Where required by the circumstances of the transfer (per the Schrems II decision), Askalot shall implement supplementary technical and organizational measures to ensure an essentially equivalent level of protection.
8. Audit Rights¶
8.1 Audit¶
The Customer has the right to audit Askalot's compliance with this DPA. Audits may be conducted by the Customer or an independent third-party auditor appointed by the Customer, subject to:
- Reasonable advance notice of at least 30 days
- Conducted during normal business hours
- Limited to one audit per calendar year, unless a Security Incident has occurred or a supervisory authority requires additional audits
- The auditor entering into confidentiality obligations acceptable to Askalot
8.2 Audit Alternatives¶
Askalot may satisfy audit requests by providing:
- Relevant security certifications or audit reports (e.g., SOC 2 Type II, ISO 27001) where available
- Written responses to reasonable audit questionnaires
- Access to Askalot's audit trail system for the Customer's own data
8.3 Costs¶
Each party bears its own costs for audits. If an audit reveals material non-compliance, Askalot shall bear the costs of remediation and any follow-up audit.
9. Data Retention and Deletion¶
9.1 During the Agreement¶
Customer Personal Data is retained for the duration of the Agreement. The Customer may delete data at any time using the platform interface or API.
9.2 After Termination¶
Upon termination of the Agreement:
- The Customer may export all data for 30 days following termination
- After the export period, Askalot shall delete all Customer Personal Data from live systems within 30 days
- Residual copies in backup systems shall be overwritten within 60 days of deletion from live systems
- During the backup retention period, data is not actively processed and is protected by the same security measures
9.3 Legal Retention¶
Askalot may retain Customer Personal Data beyond the periods above only where required by EU or member state law. In such cases, Askalot shall inform the Customer of the legal requirement and limit processing to what is strictly necessary for compliance.
9.4 Certification¶
Upon request, Askalot shall provide written certification confirming that Customer Personal Data has been deleted in accordance with this Section.
10. Liability¶
Liability under this DPA is subject to the limitations set out in the Agreement. Each party is liable for damage caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.
11. Duration and Termination¶
This DPA takes effect when the Customer begins using the Services and remains in force for the duration of the Agreement. Obligations relating to confidentiality, data deletion, and cooperation with supervisory authorities survive termination.
12. Amendments¶
Askalot may update this DPA to reflect changes in applicable law, regulatory guidance, or processing activities. Material changes are notified to the Customer at least 30 days in advance. Continued use of the Services after the effective date of changes constitutes acceptance.
13. Contact¶
For questions about this DPA:
- Email: [email protected]
- Data Protection Officer: [email protected]
Appendix 1: Processing Details¶
Subject Matter and Purpose¶
Processing of Customer Personal Data to provide the Askalot survey platform, including:
- Survey creation, distribution, and response collection
- Campaign management and respondent tracking
- Statistical analysis and data export
- User authentication and access control
- Audit trail and compliance logging
Categories of Data Subjects¶
- Survey respondents: Individuals who complete surveys created by the Customer
- Platform users: Customer's employees or contractors who access the Services
- Interviewers: Users who facilitate surveys on behalf of the Customer
Types of Personal Data¶
| Category | Data Elements |
|---|---|
| Account data | Name, email address, organization, login credentials |
| Respondent data | Name, email, age, gender, location, external ID, custom attributes |
| Survey responses | Answers to survey questions (may include opinions, preferences, demographic details) |
| Usage data | Actions performed in the platform, session metadata |
| Technical data | IP addresses, browser information, API access logs |
Special Categories of Data¶
The Customer may configure surveys that collect special categories of data (Article 9 GDPR), such as health data, political opinions, or religious beliefs. The Customer is solely responsible for ensuring a lawful basis for processing such data and for implementing appropriate safeguards.
Retention¶
As specified in Section 9 of this DPA.
Appendix 2: Technical and Organizational Measures¶
Askalot implements the following measures pursuant to Article 32 GDPR. For additional detail, see the Security Statement.
Encryption¶
| Layer | Measure |
|---|---|
| In transit | TLS 1.2+ for all connections; HSTS enforced |
| At rest | AES-256 encrypted storage volumes |
| Backups | Encrypted with separate keys |
Access Control¶
| Measure | Implementation |
|---|---|
| Authentication | OIDC with RS256-signed tokens; OAuth 2.1 for API access |
| Authorization | Role-based access control per organization |
| Credential storage | bcrypt-hashed passwords; no plaintext storage |
| Session management | JWT tokens with configurable expiration |
| Administrative access | Restricted to authorized personnel; no shared accounts |
Tenant Isolation¶
| Measure | Implementation |
|---|---|
| Compute isolation | Each tenant runs in a dedicated Linux container (LXC) |
| Network isolation | Tenants cannot communicate with each other |
| Data isolation | Separate data volumes per tenant |
| Database isolation | Per-tenant database schemas with connection pooling |
Infrastructure Security¶
| Measure | Implementation |
|---|---|
| Hosting | EU data center; no data processed outside the EU |
| Firewall | CloudFlare WAF with managed rulesets (SQLi, XSS, RCE protection) |
| TLS termination | Traefik ingress with automatic Let's Encrypt certificates |
| DDoS protection | CloudFlare edge network |
Monitoring and Incident Response¶
| Measure | Implementation |
|---|---|
| Logging | Centralized log aggregation with structured logging |
| Audit trail | Immutable audit events for all data operations |
| Metrics | Continuous monitoring of service health and performance |
| Distributed tracing | Request-level tracing across all services |
| Alerting | Automated alerts for anomalies and security events |
Data Availability¶
| Measure | Implementation |
|---|---|
| Backups | Regular encrypted backups with point-in-time recovery |
| Redundancy | Database replication and health monitoring |
| Disaster recovery | Documented recovery procedures with tested restore processes |
Organizational Measures¶
| Measure | Implementation |
|---|---|
| Confidentiality | All personnel bound by confidentiality obligations |
| Access reviews | Periodic review of access privileges |
| Incident response | Documented incident response procedures |
| Data minimization | Collection limited to what is necessary for the Services |
Appendix 3: Sub-processors¶
Last Updated: March 5, 2026
The following Sub-processors are authorized to process Customer Personal Data:
| Sub-processor | Location | Purpose | Data Processed |
|---|---|---|---|
| Hetzner Online GmbH | Germany | Server infrastructure and data storage | All Customer Personal Data (hosting) |
| CloudFlare, Inc. | USA (edge network) | CDN, DDoS protection, WAF | IP addresses, request metadata (transit only; no persistent storage of Customer Personal Data) |
Notes¶
- Hetzner Online GmbH provides physical server infrastructure within Germany. Hetzner does not have logical access to Customer Personal Data; it provides only hardware, network, and power.
- CloudFlare processes request metadata at its global edge network for security and performance. Survey response data and respondent personal data are not stored by CloudFlare. CloudFlare is certified under the EU-US Data Privacy Framework.
- Askalot does not use third-party AI models, analytics services, or advertising platforms to process Customer Personal Data.
Change Notifications¶
Subscribe to Sub-processor change notifications by emailing [email protected] with subject "Sub-processor notifications."