This Terms of Service Agreement, including any exhibits and policies referenced herein (the “Agreement”), forms a binding agreement between GetWhy A/S, on behalf of itself and its Affiliates (collectively, “GetWhy”, “we”, “our” or “us”), and the person or entity agreeing hereto, on behalf of itself and its Affiliates (“Customer”, “you” or “your”). GetWhy and Customer are each a “Party” and are collectively the ”Parties.” “Affiliate” means an entity directly or indirectly Controlled by, Controlling or under common Control with a Party. An entity has “Control” of another entity when it owns more than 50% of equity or voting interests or has primary operational or management responsibility.
This Agreement governs all access and use of the Services, Studies and Insights. This Agreement becomes effective upon initial access to or use of the Services or upon execution of a service order hereunder (“Service Order”), whichever is earlier (the “Effective Date”). By accessing or using the Services or placing a Service Order with us, you represent and warrant that you are 18 years or older and have the authority to enter into and be bound by, and you are bound by, this Agreement. If you access or use the Services or place a Service Order on behalf of a legal entity such as your employer, “you” and “your” will refer to that entity, and you represent and warrant that you have the authority to enter into and bind that entity to this Agreement, and agree to be bound. If the term of a Service Order is inconsistent with a term of this Agreement, the Service Order will take precedence. If you do not agree to these terms, you may not access or use the Services.
In consideration of the mutual covenants and agreements herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties incorporate the above recitals into this Agreement and further agree as follows:
a. Account Registration. To access and use the Services, you must register an account (“Account”). You agree to (and to use commercially reasonable efforts to cause each Authorized User to) provide accurate, complete and current registration information at all times, to keep all Account login credentials (e.g., username and password) confidential and secure, and to notify us immediately of any unauthorized use of an Account. You are responsible for all activities that occur under your Account.
b. Service Level Agreement (“SLA”). The applicable SLA for use of the Platform is set forth in Exhibit 3.
c. Acceptable Use Policy. You agree not to do (and you agree to use commercially reasonable efforts to cause any Authorized User not to do) any of the following, whether directly or indirectly: (i) post, upload, publish, submit or transmit any Customer Content that: (A) infringes, misappropriates or violates Intellectual Property Rights, or rights of publicity or privacy; (B) violates, or encourages any conduct that would violate, any applicable law or regulation; (C) is fraudulent, false, misleading or deceptive; (D) is defamatory, obscene, pornographic or offensive; (E) promotes discrimination, bigotry, racism, hatred, harassment or harm; (F) is violent or threatening; (G) promotes violent, illegal or harmful activities or substances; or (H) contains any malicious computer code, file or program; (ii) use, display, mirror or frame the Services (in whole or part), any GetWhy name, mark, logo or other proprietary information, or the layout and design of any page or form, without GetWhy’s express prior written consent; (iii) avoid, bypass, remove, deactivate, impair, descramble or otherwise circumvent any technological measure implemented to protect the Services, Insights or any other content therein; (iv) attempt to access or search the Services or download Insights or other content from the Services through the use of any engine, software, tool, agent, device or mechanism (including spiders, robots, crawlers, data mining tools or the like) other than the software and/or search agents provided by GetWhy or generally available third-party web browsers; (v) send any unsolicited or unauthorized advertising, promotional materials, spam, emails, junk mail, chain letters or other forms of solicitation; (vi) use any metatags or other hidden text or metadata that incorporates an GetWhy name, mark, logo, domain or product name without GetWhy’s express prior written consent; (vii) rent, lease, distribute, license, sublicense, sell, loan, transfer, assign, distribute, network, or otherwise provide access to or use of the Services, Insights or other content therein, to or for the benefit of any third party in any manner not permitted by this Agreement, including without limitation to create a competitive service or product; (viii) forge any TCP/IP packet header or any part of the header information in any email or newsgroup posting, or in any way use the Services to send altered, deceptive or false source- identifying information; (ix) attempt to decipher, decompile, disassemble, reverse engineer, exchange or translate any software on the Site or Platform or otherwise used to provide the Services, or remove or tamper with any disclaimers, Intellectual Property Rights notices, proprietary rights notices or other legal notices in the Services; (x) attempt to reproduce, modify, adapt or create derivative works of the Services; (xi) interfere with, or attempt to interfere with, the access of any user, host or network, such as by sending a virus, overloading, flooding, spamming or mail-bombing the Services; (xii) scan, probe or test the Services, or breach the security of the Services; (xiii) disrupt the normal flow of communications on the Services, or access or use the Services in any way that could damage, disable, overburden or otherwise impair GetWhy’s systems; (xiv) impersonate or misrepresent your affiliation with any person or entity; or (xv) otherwise violate any applicable law or regulation.
d. Modifications We may update, modify or even discontinue all or any part of the Services in our sole discretion, with or without notice. If we materially reduce the functionality of Services or if we discontinue Services that are not replaced by a substantially equivalent function or feature, you may terminate the affected Services upon 30 days’ written notice to GetWhy; and in such event, GetWhy will refund any prepaid, unused Fees in respect of the terminated Services.
e. Monitoring. We are not obligated to monitor access to or use of the Services or to monitor, review, censor or edit any Customer Content. However, we have the right to do so for the purposes of operating the Services, ensuring compliance with this Agreement, protecting the rights and safety of our personnel and third parties, and complying with legal requirements. We reserve the right to investigate violations or other conduct that affects the Services, and to remove or disable access to Customer Content if we determine, in our sole, reasonable discretion, that such content is in violation of this Agreement. We may also consult and cooperate with law enforcement authorities to prosecute users who violate applicable law.
f. Subcontractors. We may, at any time and without notice, use subcontractors in connection with performing hereunder; provided, however, that with respect to subcontractors that would qualify as sub-processors of Personal Data under applicable Data Protection Laws, we will provide reasonable notice of any new or changed subcontractors and a reasonable opportunity to object. We will impose obligations on any subcontractor that we appoint, that are substantially equivalent to the terms set out herein. We will remain liable for the performance of our subcontractors.
a. You agree to pay all fees as set forth in an applicable Service Order (“Fees”). We will invoice you for Fees annually in advance, or as otherwise specified in an applicable Service Order. We reserve the right, in our sole discretion, to adjust applicable Fees at the end of the then-current Term, upon 30 days’ advance notice to you. Invoices may be provided electronically. Payment is due within 10 days of invoice date. All Fees will be invoiced and payable in the currency defined in the Service Order, unless otherwise mutually agreed in writing. All Fees are non-refundable, except as expressly agreed in writing.
b. If you do not pay any amount when due, we may, in our sole discretion and effective upon notice to you: (i) suspend Services; (ii) apply a late charge on the unpaid amount equal to the lesser of 1.5% interest per month or the maximum rate allowed by law; (iii) require a cash deposit or other security to guarantee payment; and/or (iv) pursue any other remedy available under this Agreement, at law or in equity.
c. If you desire to dispute in good faith an invoiced amount, you agree, within 10 days of the invoice date, to: (i) pay the invoiced amount; and (ii) provide notice of the details of the dispute, together with all supporting documentation. The Parties then will work diligently to promptly resolve the dispute and upon resolution: (1) we will promptly credit any amount found to be owed to you; or (2) you will promptly pay any amount found to be owed to us. If you do not timely submit a documented dispute notice per this Section, you waive all rights to dispute such amounts, including any claim of set-off or reimbursement.
b. During the Term and for three years after, Receiving Party will not use, copy or disclose Confidential Information except as permitted herein. All copies of Confidential Information remain Disclosing Party’s sole property. Receiving Party will protect Disclosing Party’s Confidential Information using at least the same procedures as it uses to protect its own Confidential Information, but with no less than reasonable care. Receiving Party may disclose Confidential Information to its employees, consultants and contractors who have a need to know in connection with this Agreement and who have executed a similarly stringent confidentiality agreement or are subject to a professional duty of confidentiality. Receiving Party also may disclose Confidential Information pursuant to applicable law, regulation, subpoena or other order of a court of competent jurisdiction (collectively, “Legal Requirement”) or to establish rights or obligations under this Agreement in any proceeding; provided, that: (i) reasonable prior notice, unless legally prohibited, is provided to Disclosing Party to permit it the opportunity to contest such disclosure; (ii) Receiving Party cooperates with Disclosing Party to comply with any applicable protective order; and (iii) Receiving Party discloses only to the extent necessary to comply with the Legal Requirement or to establish such rights or obligations. Receiving Party will notify Disclosing Party upon discovery of any unauthorized use or disclosure of Confidential Information and will cooperate to help prevent further unauthorized use or disclosure.
c. These confidentiality obligations do not apply to Confidential Information which: (i) was in the other’s possession before receipt from Disclosing Party; (ii) was received in good faith from a third party not subject to a confidential obligation to the other Party; (iii) now is or later becomes publicly known, through no breach of confidential obligation by Receiving Party; (iv) was developed by Receiving Party without having access to the Confidential Information received from the other Party; or (v) is authorized in writing by Disclosing Party to be released or is designated in writing by Disclosing Party as no longer confidential.
d. Receiving Party acknowledges that Disclosing Party’s Confidential Information is valuable and unique and that unauthorized use or disclosure will result in irreparable injury to Disclosing Party, for which monetary damages are inadequate. If Receiving Party violates or threatens to violate this Section, Disclosing Party may seek injunctive relief without posting bond, in addition to any other available remedies.
a. Each Party will comply at all times with Data Protection Laws and as applicable, the terms of the Data Processing Addendum attached as Exhibit 4. “Data Protection Laws” mean any privacy or data protection Laws applicable to GetWhy’s Processing of Personal Data, including without limitation: (i) the EU Data Protection Laws; (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Laws; (v) the CCPA; and (vi) the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 et seq.) and other applicable state laws; in each case, as updated, amended or replaced from time to time. “Personal Data” means data relating to an identified or identifiable natural person. An identifiable natural person is one who can be specifically identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data or online identifier, or by reference to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.
b. If any act or omission by a Party results in any actual or reasonably suspected breach of Data Protection Laws, such Party will notify the other Party within 48 hours and comply with reasonable requests in order to remedy the breach, including in relation to any data transfer obligations under the Data Protection Laws.
a. Each Party will implement reasonable physical, technical and organizational safeguards designed to secure the Services and Insights (with respect to us) and the Customer Content (with respect to you and your Authorized Users) from unauthorized access, disclosure, loss, modification or destruction. For more information about the security measures implemented by GetWhy, see the Data Processing Addendum attached as Exhibit 4, and our Public Security Declaration available at https://getwhy.io/security/ or any successor URL.
b. If a Party discovers that a Security Incident has occurred, that Party will notify the other Party promptly (and in any event within 48 hours) unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. (“Security Incident” means a breach of security of the Services leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Content in the possession or control of GetWhy.) In addition to providing such notice, the notifying Party will promptly take reasonable steps to investigate and mitigate the effects of the Security Incident.
a. Term. This Agreement will continue for one year from the Effective Date (“Initial Term”) unless terminated earlier pursuant hereto, and thereafter, will renew automatically for successive periods of the same length (each, a “Renewal Term”) unless, before expiration of the Term, either Party provides timely notice of non-renewal. The Initial Term and all Renewal Terms are collectively, the “Term”. If the Parties enter into a Service Order that expires after the Term, the Term will expire on the same date as that Service Order.
b. Termination. Either Party may terminate this Agreement in whole or part, including any particular Service Order(s), immediately upon notice to the other Party if: (i) the other Party is in material breach of this Agreement and if the breach is capable of cure, the breaching Party does not cure the breach within 30 days after written notice of the breach; or (ii) if the other Party ceases to operate or is liquidated or dissolved, has a receiver or administrator appointed, commences (or has commenced against it) proceedings under any bankruptcy, insolvency or debtor’s relief law which are not dismissed within 60 days, makes a general assignment for the benefit of its creditors, or otherwise becomes insolvent or unable to meet its financial obligations. In addition, if Customer undergoes a Change of Control, GetWhy may terminate the Agreement upon 30 days’ notice to Customer or Customer’s successor; provided, that, GetWhy has reasonably determined in its sole discretion that such successor is (x) unable to assume and fulfill Customer’s obligations herein or (y) is a direct competitor of GetWhy. (“Change of Control” means one or more transactions whereby (1) Control of a Party is transferred, (2) all or substantially all of the Party’s assets or securities are acquired or (3) the Party is merged or consolidated with another entity; provided, that such Party’s equity owners immediately before the transaction(s) will, immediately afterward, hold less than 50% voting power of the successor entity.)
c. Effect of Termination. Upon termination of this Agreement: (i) all rights to access or use the Services will terminate and we will cease providing the Services; (ii) you will be entitled to continued use of Insights summaries and links to video reels exported pursuant to Section 2(a)(ii) of the Agreement; (iii) you will pay GetWhy any applicable Fees accrued but unpaid; (iv) all liabilities accrued before the date of termination will survive; and (v) upon request, each Receiving Party will return or destroy all copies of Disclosing Party’s Confidential Information.
a. Mutual. Each Party represents and warrants that: (i) it possesses the full right, power and authority to enter into and fully perform the Agreement and grant the rights granted herein; (ii) it is not bound by any obligation that would prevent it from entering into or performing its obligations herein; (iii) the execution, delivery and performance of this Agreement has been duly authorized by all necessary corporate action; and (iv) it will comply with all applicable laws, rules and regulations in its performance hereunder.
b. GetWhy. We further represent and warrant that: (i) the Services will comply with all applicable laws, including Data Protection Laws; (ii) the Services will in all material respects conform in accordance with GetWhy’s published documentation; and (c) the Services are and will remain, when accessed by Customer or its Authorized Users, free of any virus or other malicious code.
c. Customer. You further represent and warrant that you own or have all required rights, consents and permissions for the use, processing and transfer of Customer Content provided to us.
d. Disclaimer. EXCEPT AS SPECIFICALLY SET FORTH IN THIS SECTION, GETWHY MAKES THE SERVICES AND INSIGHTS AVAILABLE ON AN “AS IS” BASIS, AND DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, ACCURACY, INTEGRATION, AVAILABILITY, SECURITY, AND ALL IMPLIED WARRANTIES ARISING OUT OF USAGE OF TRADE, COURSE OF DEALING OR COURSE OF PERFORMANCE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF WARRANTIES OR LIMITATIONS ON HOW LONG SUCH WARRANTIES LAST, SO THE EXCLUSIONS OR LIMITATIONS IN THIS SECTION MAY NOT APPLY. IN ADDITION, THESE EXCLUSIONS AND LIMITATIONS ARE NOT INTENDED TO APPLY TO: (i) DEATH OR BODILY INJURY TO THE EXTENT DIRECTLY CAUSED BY A PARTY’S GROSS NEGLIGENCE; OR (ii) A PARTY’S FRAUD OR OTHER WILLFUL MISCONDUCT. FURTHER, GETWHY DOES NOT GUARANTEE ANY RESULTS, OR THE ACCURACY OF ANY RESULTS, THAT CUSTOMER OR ANY AUTHORIZED USER MAY OBTAIN FROM THE SERVICES, INSIGHTS, DOCUMENTATION, OR GETWHY CONTENT.
a. Customer. Customer will, at its cost, defend, indemnify and hold harmless GetWhy, its Affiliates, licensors and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors and assigns (each, a “GetWhy Indemnitee”) through final judgment or settlement, from and against any third-party claim, action, suit, proceeding, judgment, settlement, loss, damages, expenses (including reasonable legal fees and expenses) and costs (“Claim“) brought against a GetWhy Indemnitee arising out of or based upon: (i) unauthorized access to or use of the Services, Insights and/or any other information obtained therefrom; (ii) Customer Content; or (iii) a material breach of Customer’s obligations under this Agreement.
b. GetWhy. GetWhy will, at its cost, defend, indemnify and hold harmless Customer, its Affiliates, licensors and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors and assigns (each, a “Customer Indemnitee”) through final judgment or settlement, from and against any third-party Claim brought against a Customer Indemnitee arising out of or based upon: (i) a material breach of GetWhy’s obligations under this Agreement; or (ii) allegations that Customer’s use of the Services in accordance with this Agreement infringes or misappropriates the Intellectual Property Rights of a third party, unless such Claim is attributable to the following: (1) any unauthorized modification or enhancement of the Services; or (ii) use of the Services in combination with other products or services not provided or approved by GetWhy, where the violation, infringement or misappropriation would not have occurred but for such combination.
c. Process. The GetWhy Indemnitee or Customer Indemnitee, as applicable (“Indemnified Party”), will (i) promptly provide notice to the other Party hereto (“Indemnifying Party”) of any indemnifiable Claim provided, that, any delay in providing notice will not relieve Indemnifying Party of its obligations hereunder, except to the extent that Indemnifying Party is materially prejudiced by the delay, (ii) permit Indemnifying Party to control the defense of such Claim and (iii) provide reasonable assistance at Indemnifying Party’s cost. Subject to the foregoing, Indemnifying Party may select legal counsel to represent the Indemnified Party (such counsel to be reasonably satisfactory to the Indemnified Party) and to otherwise control the defense. If Indemnifying Party chooses to control the defense, Indemnified Party may fully participate in the defense at its own cost. If Indemnifying Party, within a reasonable time after receipt of notice of Claim, fails to defend Indemnified Party, Indemnified Party may defend and compromise or settle the Claim at Indemnifying Party’s reasonable cost; provided, that, in any event, Indemnifying Party may not consent to entry of any judgment or settlement that imposes liability or obligations on an Indemnified Party or diminishes an Indemnified Party’s rights, without obtaining the affected Indemnified Party’s express prior consent, such consent not to be unreasonably withheld or delayed.
a. Because GetWhy respects Content owners’ rights, it is our policy to respond to alleged copyright infringement notices that comply with the United States Digital Millennium Copyright Act, 17 United States Code Section 512 (the “DMCA”). If you believe that your copyrighted work has been used in a way that constitutes copyright infringement and is accessible via the Services, please provide a valid notification to our copyright agent as set forth below and in the DMCA. For your notification to be valid under the DMCA, you must provide all of the following information in writing:
i. An electronic or physical signature of a person authorized to act on behalf of the copyright owner;
ii. Identification of the copyrighted work that you claim has been infringed;
iii. Identification of the material that is claimed to be infringing and where it is located on the Services;
iv. Information reasonably sufficient to permit us to contact you, such as your address, telephone number and e-mail address;
v. A statement that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent or law; and
vi. A statement, made under penalty of perjury, that the above information is accurate, and that you are the copyright owner or are authorized to act on behalf of the owner.
b. The above information must be submitted to our copyright agent as follows:
Attention: GetWhy DMCA Agent
Address: Langebrogade 4, 1411 Copenhagen, Denmark
Email: legal@getwhy.io (please put “DMCA” in email subject line)
c. UNDER U.S. FEDERAL LAW, IF YOU KNOWINGLY MISREPRESENT THAT ONLINE MATERIAL IS INFRINGING, YOU MAY BE SUBJECT TO CRIMINAL PROSECUTION FOR PERJURY AND CIVIL PENALTIES, INCLUDING MONETARY DAMAGES, COURT COSTS AND ATTORNEYS’ FEES.
d. Please note that this procedure is exclusively for notifying GetWhy and our Affiliates that your copyrighted material has been infringed. The preceding requirements are intended to comply with our rights and obligations under the DMCA, but do not constitute legal advice. It may be advisable to contact an attorney regarding your rights and obligations under the DMCA and other applicable laws.
e. In accordance with the DMCA and other applicable law, GetWhy has adopted a policy of terminating, in appropriate circumstances, users who are deemed to be repeat infringers. We may also at our sole discretion limit access to the Services and/or terminate the account of any user who infringes any Intellectual Property Rights of others, whether or not there is any repeat infringement.
a. Amendments. We may amend this Agreement from time to time, in our sole discretion, by posting the amended Agreement on the Site. We may also send you other forms of notice. If you continue to use the Services after such posting or notice, it means that you accept and agree to be bound by the amended Agreement. If you don’t agree to the amendments, you must cease any access or use of the Services.
b. Force Majeure. Neither Party will be liable in damages or have the right to terminate this Agreement for any delay or default in performing hereunder (except for failure to timely pay) if such delay or default is caused by conditions beyond its reasonable control including without limitation any act of God, war, military action, governmental restriction or action, civil disorder or unrest, terrorism, explosion, accident, fire, flood or other natural disaster, vandalism, sabotage, labor condition, shortage, embargo, malicious code or online attacks (provided, that the Party claiming such cause has taken commercially reasonable steps to prevent such attacks) or other cause beyond such Party’s reasonable control (each, a “Force Majeure Event”. A Party whose performance is affected by a Force Majeure Event will promptly provide notice with relevant details to the other Party and the notifying Party’s obligations will be suspended to the extent caused by such Force Majeure Event for as long as it continues; and the time to perform the affected obligation will be extended by the delay caused by the Force Majeure Event. If the affected Party is prevented by the Force Majeure Event from performing its obligations with regard to Services for 30 days, it may in its sole discretion immediately terminate the affected Services upon notice to the other Party.
c. Governing Law and Forum. This Agreement will be construed and enforced in accordance with the laws of Denmark, without regard to its conflict of laws provisions. Each Party agrees that any action, suit or other proceeding involving GetWhy arising from or based upon this Agreement will be brought and maintained only in the Danish courts. The Uniform Computer Information Transactions Act and United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement.
d. Survival. The Parties’ rights and obligations with respect to the following Sections will survive termination of this Agreement: 2 (Intellectual Property Rights ownership), 4 (payment disputes), 6 (confidentiality), 10 (warranty disclaimer), 11 (indemnification), 12 (limitation of liability) and 15 (miscellaneous).
e. Entire Agreement. This Agreement constitutes the entire and exclusive understanding and agreement between GetWhy and you regarding the Services, and supersedes and replaces all prior oral or written understandings or agreements between GetWhy and you regarding the Services.
f. Severability. If any provision of this Agreement is held invalid or unenforceable by a court of competent jurisdiction, that provision will be enforced to the maximum extent permissible and the other provisions will remain in full force and effect.
g. Construction. Without limitation, the terms of any other document, course of dealing, or course of trade will not modify this Agreement, except as expressly provided herein or as the Parties may agree in writing.
h. Interpretation. Section headings are for convenience or reference only and do not form a part of this Agreement and will not affect their interpretation. Neither Party will be afforded or denied preference in the construction of this Agreement, whether by virtue of being the drafter or otherwise. For purposes of the Agreement, the words and phrases “include”, “includes”, “including”, and “such as” are deemed to be followed by the words “without limitation”.
i. Relationship of Parties. Nothing herein will be deemed to create, or be construed as creating, a joint venture, partnership, employment or agency relationship between the Parties.
j. Assignment. Neither Party may assign this Agreement without the other Party’s express prior consent except (i) to an Affiliate or (b) in connection with a Change of Control, subject to Section 9(b). This Agreement will bind and inure to the benefit of the Parties, their successors and permitted assigns. Any attempted assignment in contravention of this Section is null and void.
k. Notices. Any notices or other communications provided by GetWhy will be given: (i) via email; or (ii) by posting to the Services. For notices made by email, the date of receipt will be deemed the date on which such notice is transmitted.
l. Waiver of Rights. Our failure or delay to enforce any right or provision of this Agreement will not be considered a waiver of that right or provision. Any waiver will be effective only if in writing and signed by a duly authorized representative of GetWhy. Except as expressly set forth in this Agreement, the exercise by either Party of any of its remedies hereunder will be without prejudice to its other available remedies.
Study Details: The overview tab includes critical aspects of a Study. This encompasses the Study design, detailing the structure and sequence of questions/tasks provided to Study participants. The creation and completion dates of the Study are also documented. Additionally, the Study settings and comprehensive details about the participants/audience demographics are included.
Videos: Full-length video interviews from the Study are accessible in this tab.
Quotes: This tab displays all relevant quotes identified by our AI/Platform. It allows you to play video snippets from where the quotes are taken, and to search or browse quotes based on tasks.
Insights: This tab contains Insights from a Study, relevant to its objectives. Each Insight includes a headline, a showreel of video snippets, and related quotes. It may also include scoring elements and other relevant information. Insights can be searched by free text or by Study objectives.
Summary: This page in the executive summary of an entire Study. It contains the key take aways from the Study, as well as written Insights for each designated objective of the Study.
Actions: For the current version of the Platform, you can select one option under “+ Actions,” which is to “translate quotes and subtitles to English.” This service is intended for cases where, for example, a Study is conducted in German but the Authorized User does not understand German. The translation provided will be a basic translation meant to offer a general understanding of the Study, and its accuracy and completeness are not guaranteed. GetWhy will make reasonable efforts to ensure translation quality but cannot be held liable for any inaccuracies or errors.
Project Insights: In cases where multiple Studies are conducted and you have opted to purchase “Project Insights”, these Insights will be aggregated and displayed across all related Studies within the Platform. This aggregation allows for a comprehensive view of Insights derived from multiple Studies.
Manage Users: Here you can add and remove users to your projects.
Create Study: GetWhy provides you the option to initiate a new Study using our online template and Study generator tool, allowing you to define the Study’s audience and other parameters such as demographics, sample size and key objectives. Both Parties agree to collaborate closely during the creation of each Study. Customer will ensure timely provision of necessary information and stimuli for participants, while GetWhy will offer guidance and support throughout the setup process. Any additional customization requests beyond the standard template functionalities may incur further charges, which the Parties will agree upon in advance.
Studies Overview: This is your “home page”, where you can see an overview of all the Studies/projects to which you have access with your GetWhy account. The overview will include Study/project titles, status, key deliverables, and access dates.
My Profile: An Authorized User may edit their name in their account profile. Authorized Users are responsible for keeping their profile information accurate and up-to-date.
Studies
A “Study” is a market or consumer research study, conducted using the Platform. A Study typically includes a minimum of 10 participants from a target audience designated by a Customer, and leveraging GetWhy’s access to relevant target group panelists.
A Study focuses on a Customer’s business questions or objectives, and aims to uncover market or consumer Insights about the Customer’s designated target audience. (A Study can be run on one target audience; multiple target audiences would require separate Studies.)
During a study, in order to elicit verbal responses, the participants are exposed to either (a) interview questions alone or (b) interview questions in conjunction with some form of “stimulus” provided by the Customer, which could include images, texts, videos, sounds or similar content, delivered either through links or uploads.
Insights
An “Insight” is a report on the qualitative insights collected in a Study, which typically consist of participant interview responses, and which are generated through transcriptions, tags, themes and clusters. These interview responses are compiled by the Platform, supported by video, quotes, and other relevant evidence from the Study, and are made available to the Customer for internal business uses.
Insights are designed to yield a deeper understanding about target consumers and markets. GetWhy provides a variety of Insights, using templates that are custom-tailored to the Customer’s unique business needs and requirements. The templates are also tailored to fit different Study types, and may incorporate media in multiple formats, including text, images, illustrations, presentations, interview video clips, and more. Various types of Studies can be run (defining the Insights received), including to better understand:
– core needs
– how concepts resonate
– how design resonate
– how brand perception resonates
– how brand story resonates
– how brand name resonates
– how CVI resonate
– how video ads resonate
– how advertisement visuals resonate
– how banners, ad copies, outdoor ads, packaging, and others resonate
– and more
This Service Level Agreement (“SLA”) sets forth the uptime and support service levels for the GetWhy Research Agent Platform. The SLA applies only to Customers of GetWhy. Any capitalized terms used but not defined in this SLA will have the meanings set forth in the Agreement.
1. Definitions.
a. “Available” or “Availability” means that the Platform is accessible and functioning in all material respects per GetWhy’s published documentation.
b. “Business Day” means a day other than a Saturday, Sunday or Denmark public holiday.
c. “Business Hours” means the hours from 9:00 am until 5:00 pm on Business Days.
d. “Calendar Month” means the period between the first day of each successive calendar month.
e. “Downtime” means the minutes during the Calendar Month when the Platform is not Available, except for any Excluded Minutes.
f. “Excluded Minutes” means the minutes elapsed while the Platform is not Available because of: (i) acts or omissions of the Customer or its service providers, suppliers, subcontractors or Authorized Users; (ii) breach of the Agreement by the Customer or any of its Authorized Users; (iii) the Customer’s or any of its Authorized Users’ failure to adhere to the GetWhy documentation; (iv) software, hardware or third-party services not selected, provided or controlled by GetWhy; or (v) a Force Majeure Event (as defined in the Agreement).
g. “Incident” means a problem reported by the Customer that is reproducible and that GetWhy confirms is a nonconformity of the Platform with GetWhy’s published specifications or documentation, and that results in a loss of all functionality or substantial features or functionality within the Platform.
h. “Level 1 Support” means call answering, logging and screening for the severity level of a reported problem and use of commercially reasonable efforts to diagnose the root cause of the problem. Problems that are confirmed to be Incidents will be escalated to Level 2.
i. “Level 2 Support” means end user support following Level 1 Support to address Incidents in accordance with their relative severity.
j. “Maximum Uptime” means total minutes in a Calendar Month minus Maintenance Minutes during the same Calendar Month.
k. “Maintenance Minutes” means the minutes elapsed during maintenance performed by GetWhy that results in the Platform not being Available, where GetWhy has provided the Customer with reasonable advance notice.
l. “Response Time” means the minutes elapsed between when GetWhy acknowledges receipt of Customer’s Support Services request and when the request is resolved as determined in GetWhy’s sole discretion.
m. “Uptime Percentage” means the Maximum Uptime minus Downtime and divided by Maximum Uptime for a Calendar Month.
2. Uptime.
a. GetWhy will use commercially reasonable efforts to make the Platform Available each Calendar Month in accordance with the following Uptime Percentage: ≥ 99%.
b. GetWhy may schedule Downtimes by providing Customer with reasonable advance notice via the agreed upon communication protocol. GetWhy reserves the right to perform regularly scheduled maintenance during non-core Business Hours.
3. Support.
a. GetWhy will provide Level 1 Support and Level 2 Support as described herein (“Support Services”).
b. GetWhy will use commercially reasonable efforts to make available email reporting to the Customer and its Authorized Users, via the support email address (or such other email designated by GetWhy) for submission of Support Services requests. GetWhy will acknowledge each submitted email request within the time period described in the tables below, after GetWhy’s receipt.
c. GetWhy will use commercially reasonable efforts to update Customer or the applicable Authorized User on the status of the Support Services request.
d. GetWhy will prioritize resolving Support Services requests for an Incident that, as determined in GetWhy’s sole discretion, critically impacts Customer’s and Authorized Users’ use of the Platform, over all other Support Services requests. GetWhy will provide the Support Services during Business Hours. Services issues and their priority are defined as follows:
| Severity Level | Definition | Example |
|---|---|---|
| 1: Critical | Business outage or significant Customer impact that threatens future productivity | Many or all Authorized Users are unable to access the Platform; Platform response time is severely degraded from standard |
| 2: Urgent | High-impact problem where production is proceeding, but in a significantly impaired fashion; there is a time-sensitive issue important to long term productivity that is not causing an immediate work stoppage | Certain Authorized Users are unable to access the Platform; Platform performance is unstable |
| 3: Important | Important issue that does not significantly impact current productivity | An Authorized User desires a patch for a non-emergency break- fix situation |
| 4: Informational | Request for information or enhancement, or minor technical issue with only a minor impact on Customer productivity | An Authorized User desires a new Platform feature or function |
| Severity Level | Receipt Acknowledged | Restoration Target |
|---|---|---|
| 1: Critical | 4 Business Hours | Within 8 Business Hours |
| 2: Urgent | 4 Business Hours | Within 48 Business Hours |
| 3: Important | 1 Business Day | To be determined with proposed course of action (e.g., next release) |
| 4: Informational | 1 Business Day | To be determined with proposed course of action (e.g., next release) |
4. Reporting
a. Upon Customer’s written request up to once per calendar quarter, GetWhy will send Customer a report for the requested quarter during the Term, including the following information: (i) average Response Time for the applicable quarter; (b) list of common user issues for which Support Services requests were submitted in the applicable quarter; and (c) any recommendations that GetWhy made to the Customer or mitigation plans that GetWhy implemented to reduce the frequency of occurrence of a particular user issue. GetWhy will provide the report within 10 Business Days after receipt of the request.
b. GetWhy will measure the Response Time for each Support Services request received in a calendar quarter and will calculate the total Response Time by summing the Response Time for all Support Services requests received in a calendar quarter. The average Response Time for a calendar quarter will be calculated by dividing the total Response Time by the total number of Support Services requests received in a calendar quarter. The parties may establish mutually agreed or mitigation plans intended to address concerns with reported Response Times.
1. Credits.
a. In the event of an Incident, and subject to the terms of this SLA, GetWhy will issue a credit to Customer in the following percentage of the Fees (calculated on a prorated monthly basis) for the affected Services attributed to the monthly service period in which the Incident occurred (each a “Credit“):
| System Availability (Monthly) | Credit (% of monthly prorated Fees) |
|---|---|
| 99.00% – 98% | 2% |
| 97.99% – 95% | 4% |
| 94.99%-90% | 6% |
| 89.99% or below | 8% |
b. Eligibility for Credits is subject to the following:
i. To be eligible for a Credit, Customer must be in good standing with no delinquent invoices, in addition to any other SLA requirements. If Customer is eligible to receive more than one Credit attributable to the same SLA failure, Customer will only receive one Credit equal to the highest of all Credits then available.
ii. GetWhy has no obligation to issue a Credit unless Customer: (1) reports the Incident to GetWhy immediately upon becoming aware of it; and (2) requests the Credit in writing within one week of the Incident.
iii. In no event will a Credit for any service period exceed twenty five (25%) percent of the total Fees that would be attributed to that Service period if no Incident had occurred.
iv. Any Credit payable to Customer will be issued in the calendar month following the monthly Subscription Service period in which the Service Level Failure occurred.
v. This Exhibit sets forth GetWhy’s sole obligation and liability and Customer’s sole remedy for any Incident. GetWhy may modify this SLA from time to time, effective upon notice to Customer or posting of the revised SLA on the Services. Continued use of Services 15 days after the date of such notice or posting will constitute assent to the modified SLA.
This Data Processing Addendum (“Addendum”) supplements and is incorporated by this reference into the Terms of Service Agreement entered into between GetWhy and the Customer (“Agreement”) and relates to Personal Data which is provided or made available to, shared with, or accessed by GetWhy for Processing on Customer’s behalf. Data Protection Laws worldwide place certain obligations upon a Controller, to ensure that a Processor engaged by the Controller provides sufficient guarantees that any such Processing is secure. This Addendum exists to ensure that there are sufficient security measures in place and that the Processing complies with the Parties’ obligations under such Data Protection Laws.
1. DEFINITIONS
Any capitalized terms used but not defined in this Addendum will have the meanings set forth in the Agreement.
a. “CCPA” means Title 1.81.5, California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended by Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”). The CCPA is a data privacy law that provides California consumers with a number of privacy protections, including the right to access, delete and opt-out of the “sale” or “sharing” of their Personal Data (as such terms are defined in the CCPA).
b. “Controller” means an entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data (including as applicable, a “business” as defined by the CCPA).
c. “EU Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”).
d. “EU Standard Contractual Clauses”, “SCCs” or “Clauses” means, where the EU Data Protection Laws apply, the Standard Contractual Clauses forming part of Decision 2021/914/EC (as amended or replaced from time to time), including their appendices and with the relevant Modules and Options set out herein.
e. “Laws” means any applicable national, state, provincial and local laws, rules, regulations, directives, statutes, orders, judgments, decrees, rulings, and enforceable regulatory guidance.
f. “Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
g. ”Processor” means an entity which Processes Personal Data on behalf of the Controller (including as applicable, a “service provider” as defined by the CCPA).
h. “Security Incident” means a Personal Data breach or any unauthorized access or breach of security due to GetWhy’s failure to comply with its data privacy and/or security obligations hereunder, leading to, or reasonably believed to have led to, the theft, accidental or unlawful destruction loss, alteration or unauthorized disclosure of, or access to, any Personal Data Processed by GetWhy under or in connection with the Agreement.
i. “Sub-processor” means a third-party service provider engaged by GetWhy to assist with the Processing of Personal Data.
j. “UK Data Protection Laws” means the Data Protection Act 2018 and the United Kingdom’s version of the GDPR which is part of UK law by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR“) and any legislation applicable in the UK in force from time to time relating to privacy or the Processing of Personal Data.
k. “UK Standard Contractual Clauses” means, where the UK Data Protection Laws apply, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-
addendum.pdf, and as revised under Section 18 of the International Data Transfer Addendum (the “UK Addendum”).
2. ROLES, LIMITATIONS ON USE
a. The Parties acknowledge and agree that regarding Personal Data, Customer may be a Controller or a Processor acting on its client’s behalf. Where Customer is a Controller, GetWhy will be a Processor; and where Customer is a Processor, GetWhy will be a Sub-processor. To the extent that GetWhy also provides Services to, and Processes Personal Data provided by or on behalf of an Affiliate of Customer, each such Affiliate will be the Controller of the Personal Data that it provides to GetWhy and such Affiliate will have the same rights that Customer has under this Addendum when such Affiliate is a Controller in respect of the Personal Data.
b. As the Processor (or as applicable, Sub-processor), GetWhy will Process Personal Data solely in accordance with (i) the Agreement or other documented instructions of Customer (whether in written or electronic form) provided in accordance with the Agreement or (ii) as otherwise required by applicable Laws, in which case GetWhy will inform Customer of the legal requirement before Processing, unless legally prohibited on grounds of public interest. Customer acknowledges and agrees that Customer’s final and complete instructions regarding the Processing of Personal Data are set out in the Agreement. Any additional or alternate instructions must be agreed in writing by the Parties (and GetWhy will be entitled to charge a reasonable fee to cover any compliance costs incurred).
c. GetWhy will ensure that persons authorized to Process Personal Data on GetWhy’s behalf have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
d. As the Controller, Customer is responsible for ensuring that, in accordance with Data Protection Laws, (i) there is a lawful basis for the collection and Processing of Personal Data and (ii) Customer has provided an appropriate privacy policy to its Authorized Users and other data subjects.
e. The Parties acknowledge and agree that regarding Usage Metadata, GetWhy is an independent Controller, not a joint Controller with Customer. GetWhy will process Usage Metadata as a Controller: (i) to manage the relationship with Customer; (ii) to carry out GetWhy’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, Security Incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for purposes of identity verification; (v) to comply with legal or regulatory obligations applicable to the Processing and retention of Personal Data to which GetWhy is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this Addendum and the Agreement. GetWhy may also process Usage Metadata as a Controller in order to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any processing by GetWhy as a Controller will be in accordance with (1) applicable Data Protection Laws and (2) GetWhy’s Privacy Policy set forth at https://getwhy.io/privacy-policy/.
3. SUB-PROCESSORS
Customer agrees that GetWhy may disclose Personal Data to its Sub-processors for purposes of providing the Services to Customer, provided that GetWhy will impose on its Sub-processors data protection obligations that are at least as protective of Personal Data as those set forth in this Addendum. GetWhy has made available to Customer a list of its Sub-processors at https://getwhy.io/sub-processors/, which Sub-processors have been approved by Customer via the Agreement or this Addendum. GetWhy will provide Customer with a mechanism to receive notice of any changes to this list. GetWhy will notify Customer of the addition of any new Sub processors by updating this list at least 30 days before granting the new Sub-processor access to Customer Content, in order to allow Customer an opportunity to object to the addition. GetWhy will be liable for the acts or omissions of any Sub-processors to the same extent as if the acts or omissions were performed by GetWhy. GetWhy will disclose Personal Data only to approved Sub-processors or as otherwise expressly authorized under the Agreement or this Addendum or as required by applicable Laws.
4. DATA TRANSFERS
In providing the Services, and unless expressly agreed otherwise in writing by the Parties, GetWhy and its Sub processors may transfer Personal Data to other countries where they have operations, or as otherwise required by applicable Laws. GetWhy will implement appropriate measures to protect Personal Data in accordance with this Addendum and in compliance with applicable Data Protection Laws, regardless of the jurisdiction in which it is located. Any cross- border transfers of Personal Data will take place only where enforceable data subject rights and effective legal remedies for data subjects are available and appropriate safeguards are in place in relation to the transfer, as provided for by: (a) the SCCs as referenced herein; or (b) any other data transfer mechanisms permitted by Data Protection Laws, as appropriate.
5. SECURITY
GetWhy will implement reasonable technical and organizational safeguards designed to protect Customer Content against unauthorized loss, destruction, alteration, access, or disclosure. GetWhy will require GetWhy personnel who will be provided access to, or will otherwise Process, Customer Content, to protect Customer Content consistent with the standards set forth in this Addendum. If GetWhy discovers a Security Incident has occurred, GetWhy will notify Customer
in accordance with the Agreement.
6. AUDIT
Upon Customer’s written request and as applicable, execution of a GetWhy standard nondisclosure agreement, GetWhy will provide responses up to once per year to any written questions that Customer may reasonably submit for purposes of verifying GetWhy’s compliance with this Addendum. If Customer reasonably determines that further assessment is required by Laws, then Customer at its sole expense may perform a review, once per year during the term (other than where a Security Incident has taken place, in which case Customer will be entitled to carry out an additional review within 30 days of GetWhy notifying Customer of such Security Incident), of the relevant policies, procedures and related documentation of GetWhy’s Services. The timing, scope and duration of any such review will be mutually agreed by the Parties. Any such review will be conducted in a manner that does not compromise confidentiality obligations to any of GetWhy’s other clients or other third parties. Customer will ensure that any third-party auditor that Customer appoints in connection with a review is: (a) not a GetWhy competitor; and (b) is committed to appropriate confidentiality obligations. Customer and/or any third-party auditor will comply with GetWhy’s standard policies and procedures when accessing GetWhy’s premises or systems.
7. REQUESTS OR COMPLAINTS FROM INDIVIDUALS
GetWhy will promptly notify Customer, unless prohibited by applicable Laws, if GetWhy receives: (a) any request from an individual with respect to Personal Data Processed by GetWhy, including but not limited to opt-out requests, requests for access and/or rectification, blocking, erasure, requests for data portability, and all similar requests; or (b) any complaint relating to the Processing by GetWhy of Personal Data, including allegations that such Processing infringes on a data subject’s rights. Customer is responsible for responding to such requests and complaints from individuals and GetWhy will provide such
information and assistance as Customer may reasonably require in order to allow Customer to comply with its obligations under Data Protection Laws in regard to such requests.
8. RETURN OR DELETION
Upon termination or expiration of the Agreement, Customer will be entitled to retrieve its Customer Content (including any Personal Data) in accordance with the Agreement; provided that, Customer must notify GetWhy of Customer Content that Customer wishes to have returned or deleted within 30 days after the effective date of termination or expiration. GetWhy will delete Customer Content from the Services promptly following such retrieval period unless otherwise required by applicable Laws; provided that, GetWhy will be entitled to retain Personal Data where required by Data Protection Laws or other applicable Laws, or where such data is required for GetWhy’s internal record keeping or where it is necessary for use in legal proceedings.
9. EU INTERNATIONAL TRANSFERS
a. With respect to EU-U.S. transfers of Personal Data, GetWhy (acting on its own behalf and as agent for each GetWhy Affiliate) and Customer (acting on its own behalf and as agent for each of its Affiliates) each hereby agree to Process such Personal Data in compliance with the EU SCCs incorporating:
i. The general clauses (Clauses 1-6);
ii. Modules One (Transfer Controller to Controller), Two (Transfer Controller to Processor), and Four (Transfer Processor to Controller) as applicable and the relevant options as specified in the table set out in Section 10 herein; and
iii. With the Annexes populated as set out below:
b. Annex I of the EU SCCs (Details of Data Processing) will be pre-populated with the details set out in Section 11.01 herein; and
c. Annex II of the EU Standard Contractual Clauses (Security Measures) are described in Section 11.02 herein.
d. Before commencing any EU international transfer to or from a Sub-processor, GetWhy will ensure enforceable data subject rights and effective legal remedies for data subjects are available and appropriate safeguards are in place in relation to the transfer, as provided for by: (i) entering into the EU SCCs with such Sub processor, incorporating the general clauses (Clauses 1-6) and Module 3 (Transfer Processor to Processor); or (ii) any other data transfer mechanisms permitted by Data Protection Laws, as appropriate.
e. EU SCCs: Modules and Options. As applicable, the Parties agree that the following modules and options of the EU SCCs are deemed to be incorporated:
| Clause 7 (Docking clause) | Clause 7 will not be incorporated. |
| Clause 8 (Data protection safeguards) | Modules 1, 2 and 4. |
| Clause 9 (Use of Sub-processors) | Module 2, Option 2, and the specific time period will be as set out herein. |
| Clause 10 (Data subject rights) | Modules 1, 2 and 4. |
| Clause 11 (Redress) | Module 1 and 2, and the Option in Clause 11(a) will not be incorporated. |
| Clause 12 (Liability) | Modules 1, 2 and 4. |
| Clause 13 (Supervision) | Module 1 and 2, incorporating all paragraphs of Clause 13(a) as applicable. |
| Clause 14 (Local laws and practices affecting compliance with the Clauses) | Modules 1, 2 and 4. |
| Clause 15 (Obligations of the Data Importer in case of access by public authorities) | Modules 1, 2 and 4. |
| Clause 16 (Non-compliance with the Clauses and termination) | For Clause 16(d) the relevant parts for Modules 1, 2 and 4. |
| Clause 17 (Governing law) | Modules 1 and 2, Options 1 and 2 as applicable and the law inserted will be the laws of the EU Member State in which the data exporter is established, save that: (i) where such laws do not allow for third-party beneficiary rights; or (ii) the data exporter is not established in an EU Member State, the law will be the laws of Denmark. Module 4 and the law inserted will be the laws of the country stated in the governing law clause of the Agreement, save that where such law does not allow for third-party beneficiary rights, the law will be the laws of Denmark. |
| Clause 18 (Choice of forum and jurisdiction) | Modules 1 and 2 and the courts inserted will be the courts in the Member State referred to in Clause 17 (Governing law). Module 4 and the country inserted will be the country stated to have jurisdiction in the Agreement, save that where the laws of that country do not allow for third-party beneficiary rights, the country will be the law of Denmark. |
f. EU SCCs: Details of Data Processing, Security Measures. As applicable, the Parties agree that Annex I of the EU SCCs will be pre-populated with the following details:
| List of Parties | Data Exporter:
Name: the person or entity agreeing to these terms (i.e., the Customer). Address: per Customer’s Service Order(s). Contact person’s name, position, contact details: per Customer’s Service Order(s). Activities relevant to the data transferred under these Clauses: per the Agreement. Role (Controller/Processor): Controller (or as applicable, Processor). Data Importer(s): Name: GetWhy A/S (for itself and its Affiliates Address: Langebrogade 4, 1411 Copenhagen, Denmark Contact person’s name, position, contact details: Niklas Laugesen, General Counsel, legal@getwhy.io, +45 77348685 Activities relevant to the data transferred under these Clauses: The Data Importer provides the web-based Software-as-a-Service (SaaS) application known as the GetWhy Research Agent (i.e., the “Platform”), and related Services. Role (Controller/Processor): Processor (or as applicable, Sub-processor). Notwithstanding the foregoing, GetWhy is the Controller in respect of Usage Metadata. |
| Description of Transfer | Categories of data subjects whose Personal Data is transferred:
The Platform requires the transfer and Processing of Personal Data about the following categories of data subjects: 1. Data Exporter’s administrators, for the purposes of managing the Agreement and the Data Exporter’s license to use the Platform and related Services. 2. Authorized Users of the Platform, for the purposes of facilitating their access to and use of the Platform and related Services. 3. Employees of the Data Exporter where they engage with the Platform and upload Customer Content to it. Categories of Personal Data transferred: The GetWhy Research Agent facilitates the transfer and Processing of the following categories of data, as outlined in the Parties’ Agreement and/or GetWhy’s Privacy Policy: 1. Usage Metadata, including data generated, collected and processed by Data Importer in connection with providing the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse. Usage Metadata (a) does not comprise Customer Content and (b) is collected by GetWhy on an anonymized or pseudonymized and aggregated basis, such that it does not allow GetWhy or any third party to determine that such data relates to or is derived from Customer or any Authorized User. Usage Metadata is not processed on behalf of the Data Exporter, and GetWhy is the data controller in respect of this data. 2. Customer Content, including Personal Data uploaded, submitted or otherwise transmitted to the Platform by the Data Exporter or any third party using the Data Exporter’s account. Such Personal Data includes without limitation: full name; physical address; email address; telephone number; bank information; gender; date of birth; occupation; and Feedback given or received. Sensitive data transferred: The Platform does not require the transfer or Processing of any special categories of data (as defined in Article 9(1) of the GDPR). The frequency of the data transfer: Continuous unless otherwise specified in the Agreement. Nature of the Processing: The Platform facilitates the following Processing of Personal Data on behalf of (and on the instructions of) the Data Exporter: 1. Collection of Customer Content, as outlined above, for the purposes of delivering Services; 2. Use and analysis of Customer Content, including without limitation by automated means, for the purposes of qualifying participating users for research studies, creating video and audio recordings and transcriptions of studies, and creating Insights (as defined in the Agreement), analytics and related reporting for the Data Exporter’s use; 3. Secure storage of Customer Content with Sub-processor, Amazon Web Services (AWS); 4. Retrieval of Customer Content on the request of the Data Exporter or the applicable data subject; and 5. Destruction of Customer Content either at the request of the Data Exporter or on the expiry or termination of the Agreement. As set out in the Agreement, GetWhy does not Process Customer Content for any purposes other than those requested by the Data Exporter and outlined in the Agreement and GetWhy’s Privacy Policy. Purpose(s) of the data transfer and further Processing: The purpose of the transfer or Processing of Customer Content is for provision of the Platform and related Services, as more particularly set forth in the Agreement (and Service Orders entered into thereunder). The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: The duration of the Processing of Customer Content described herein under the Agreement is for the term of such Agreement (and Service Orders entered into thereunder) as such term is defined therein, and not thereafter except if specifically instructed to do so by the Data Exporter. For transfers to Sub-processors, also specify the subject matter,nature and duration of the Processing: See Sub-processor notification at https://getwhy.io/sub-processors/. |
| Competent supervisory authority | Datatilsynet
Carl Jacobsens Vej 35 2500 Valby Tel. +45 33 1932 00 Email: dt@datatilsynet.dk Website: http://www.datatilsynet.dk/ |
g. EU SCCs: Security Measures. As applicable, the Parties agree that Annex II of the EU SCCs will be pre-populated with the following details:
Description of the technical and organisational measures implemented by the Data Importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons:
Information security policy statement: The future is human – and the future business is customer-centric. We take a customer-centric approach to everything we do, including our security policies, and we, therefore, understand how important data privacy and protection are to our customers. We trust the people we work with: our customers, employees and partners. With our security policies, we want to provide a clear set of guidelines and rules to make it easy for us to protect sensitive data in the interest of individuals and the companies that trust their data with us. Our application is built on a modern, scalable cloud infrastructure designed to ensure the safety of your data, and we have chosen proven third-party cloud providers with excellent track records and data centres in the EU. We ensure the safety and privacy of your data is backed into our everyday processes throughout our organisation. We do regular data backups and test recovery, run penetration tests, encrypt all data at rest and in transit, conduct static code analysis and vulnerability scanning, perform server hardening, audit trails, and many other cloud security techniques. Scroll down for information about specific security practices, read GetWhy’s Privacy Policy, support and availability agreement, and Data Processing Addendum which also contains a list of third-party data Sub-processors. Regarding GetWhy’s Privacy Policy or how we handle your data more generally, please contact us at privacy@getwhy.io.
Product Security:
Permissions: Global access roles allow GetWhy admins to set role-based permission levels for each user account, and project-level access controls allow permission levels to be set for specific projects.
Secure passwords: GetWhy enforces a password complexity standard, and credentials are stored using BCrypt with unique salts.
Account verification for users: Users are required to validate their accounts via a link provided in an automated e-mail.
Permanent deletion: Users can delete projects and study data from GetWhy if they have the appropriate access rights. The platform has all the features necessary for users to delete data and be compliant with GDPR. When a customer is conducting its own studies using the self-service platform, the customer is a Controller and must delete Personal Data from the platform according to the customer’s own data privacy policy. When GetWhy is conducting a study on behalf of a customer and/or when GetWhy generates, collects or Processes Usage Metadata, GetWhy acts as a Controller, and Personal Data is protected and deleted according to GetWhy’s Privacy Policy.
High availability: We ensure high availability with automated and manual testing, production monitoring, logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.
Infrastructure Security:
Hosting and storage: GetWhy services and data are hosted in Amazon Web Services (AWS) facilities in the EU.
Encryption: Data is encrypted while moving between us and the browser with Transport Level Security (TLS). At Rest: Your data only resides in the production environment encrypted with AES-256. In Transit: Network communication uses TLS, and it is encrypted and authenticated.
Vulnerability scanning: GetWhy uses third-party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10.
Penetration testing: We perform independent third-party manual penetration testing at least once per year, and depending on the risk assessment also when we have bigger systems changes. Contact us for a copy of the latest report.
Backup policy: Our backup processes ensure data and information consistency with the highest standards. We use AWS backup solution for data stores that contain customer data. Data is automatically backed up every 15 minutes, and we keep daily backups for 14 days. On an application level, we store logs of activity on a centralised log solution based on AWS Elasticsearch, Kibana and Logstash. Logs are stored for up to 15 days.
Monitoring & incident response: Production alerts are captured and automatically escalated. Outside of office hours, our engineering team has a best-effort and escalation policy. Security and confidentiality incidents submitted to support@getwhy.io or our in-app support chat will be resolved in accordance with the established incident policy.
Logging & audit trail: We log every user action performed in the system with a full audit trail.
Continuous delivery: We have a state-of-the-art agile software development lifecycle methodology and change management procedures. Our deployment method requires no downtime for the application.
Compliance:
ISO 27001: GetWhy is compliant with the Information Security Management System ISO/IEC 27001 standard.
VSA: We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy.
OWASP: The most recent penetration test reported no vulnerabilities on the OWASP Top 10.
SSL Labs score: “A+“ on their SSL Server test.
GDPR ready: GDPR is backed into our business processes, security policies and employee training. GDPR check is part of our risk assessment and internal audit. See GetWhy’s Privacy Policy.
Personnel:
Roles-based access: An employee’s level of access is determined by the role and follows the least privilege principle.
Secure access: GetWhy uses SSO, an enforced password policy, and VPN to ensure employees have secure access to the system.
Multi-factor authentication: We enforce this for all privileged access and on all critical systems.
Employee asset control: Our employees’ devices are monitored in real-time and have antivirus, disk encryption, and security patches via an active directory.
Employee training: All employees complete annual Security and Awareness training and Secure Development Practices.
Confidentiality: All employee and contractor agreements include a confidentiality clause.
Policies: Our internal security policies cover a range of topics and are shared with all employees and contractors. GetWhy may update the above security measures from time to time, as set forth in GetWhy’s Public Security Declaration available at https://getwhy.io/security/.
With respect to UK-U.S. transfers of Personal Data, GetWhy (acting on its own behalf and as agent for each GetWhy Affiliate) and Customer (acting on its own behalf and as agent for each of its Affiliates) each hereby agree to Process such Personal Data in compliance with the UK SCCs, i.e., the EU SCCs as implemented under this Addendum, with the following modifications:
a. The EU SCCs will be deemed amended as specified by Part 2 of the UK Addendum;
b. Tables 1, 2 and 3 in Part 1 of the UK Addendum will be deemed completed respectively with the information set out in Section 11 of this Addendum (as applicable); and
c. Table 4 in Part 1 of the UK Addendum will be deemed completed by selecting “importer” and “exporter.
To the extent that GetWhy Processes “Personal Information” subject to the CCPA:
a. Customer is a “Business” and GetWhy is a “Service Provider”, each as defined under the CCPA.
b. GetWhy will not: (i) retain, use, disclose or otherwise Process “Personal Information” for any purpose, including a “Commercial Purpose”, other than for the specific purposes as provided for in the Agreement or as needed to perform the Services, including to build or improve the quality of the Services, to detect Security Incidents, to protect against fraudulent or illegal activity, to retain Sub- processors in compliance with this Addendum, or as otherwise required or permitted by applicable Laws; (ii) “sell” or “share” Personal Information; (iii) Process Personal Information in any manner outside of the direct business relationship between Customer and GetWhy; or (iv) combine Personal Information from Customer with Personal Information that GetWhy received from or on behalf of another personal or entity or that GetWhy collected from its own interactions with an individual.
c. Customer will only disclose Personal Information in connection with the Agreement, and only for the limited and specified purposes of receiving the Services.
d. Upon written request from Customer, GetWhy will provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to GetWhy’s Processing of Personal Information necessary to confirm GetWhy’s compliance with this Addendum; provided that Customer will not exercise this right more than once in any 12-month rolling period. Notwithstanding the foregoing, Customer (or its appointed representatives) may also exercise such audit right of GetWhy’s operations and facilities if Customer is expressly requested or required to provide this information to a data protection authority, if GetWhy has experienced a Security Incident, or as may be required under applicable Data Protection Laws. Such inspections will take place during normal business hours and will be subject to reasonable prior notice. In addition, upon written request from Customer, GetWhy will provide documentation verifying that it no longer retains or uses any Personal Information that Customer has made a valid request to GetWhy to cease using and/or delete. If, under the circumstances, the foregoing steps are insufficient (i) to ensure that GetWhy uses the Personal Information collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA and this Addendum or (ii) to stop and remediate GetWhy’s unauthorized use of Personal Information, then the Parties will promptly coordinate to determine any additional reasonable and appropriate steps that will be taken to ensure
compliance. In furtherance of the foregoing, upon written request from Customer, GetWhy will provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to GetWhy’s Processing of Personal Information necessary to confirm GetWhy’s compliance with this Addendum, provided that Customer will not exercise this right more than once in any 12-month rolling period. Notwithstanding the foregoing,
Customer (or its appointed representatives) may also exercise such audit right of GetWhy’s operations and facilities in the event that Customer is expressly requested or required to provide this information to a data protection authority, if GetWhy has experienced a Security Incident, or as may be required under applicable Data Protection Laws. Such inspections will take place during normal business hours and be subject to reasonable prior notice. In addition, upon written request from Customer, GetWhy will provide documentation verifying that it no longer retains or uses any Personal Information that Customer has made a valid request to GetWhy to cease using and/or delete. GetWhy certifies that it understands the restrictions contained in this paragraph and will comply with them.
e. Each Party certifies that it understands the requirements under the CCPA.
f. As used in this Section 11, the following terms have the meanings set forth in the CCPA: (1) Personal Information; (2) Business; (3) Service Provider; (4) Commercial Purpose; (5) Sell; and (6) Share.
Except as expressly set forth in this Addendum, all other terms and conditions of the Agreement will continue and remain in full force and effect. In the event of any conflict between the provisions of this Addendum and the Agreement, the provisions of this Addendum will prevail.
This Addendum will be governed by and construed in accordance with the Laws of Denmark, without prejudice to the provisions of the Laws of the country where the Customer has its principal place of business that cannot be derogated from contractually and without regard to conflict of law principles (as such Laws are applied to agreements entered into and to be performed entirely within Denmark between residents of Denmark).
If any variation is required to this Addendum as a result of a change in or subsequently applicable Data Protection Laws or if the SCCs, as clarified, fail as a lawful data transfer mechanism, then either party may provide written notice to the other party of that change in laws. The parties then will discuss and negotiate in good faith any variations to this addendum necessary to address such changes, with a view to agreeing and implementing those or alternative variations as
soon as practicable.
