Legal Documents
Data Processing Agreement
You agree that our continued provision of services to you, and your continued use of them, represent your agreement to be bound by our privacy policy and GDPR policy.
Last Updated 07/02/2024
Please take your time to read through this information carefully and contact us if you have any questions.
Data Processing
We will only act and process Customer Data in accordance with the documented instructions from you, unless required by law to act without such Instruction. The Instruction at the time of entering into this DPA is that Voteq may only process your data with the purpose of delivering Services as described in its Terms & Conditions and any product-specific agreements. Subject to the terms of this DPA and with the agreement of the parties, you may issue additional written instructions consistent with the terms of this agreement. You are responsible for ensuring that all individuals who provide instructions are authorised to do so. We will inform you of any instruction that it deems to be in violation of GDPR and will not execute the instructions until they have been confirmed or modified.
Confidentiality
- 4.1. Voteq is authorized by the Customer to engage third-party Sub-Processors for the processing of Customer Data. Voteq will ensure that Sub-Processors have access to Customer Data only to the extent necessary for the provision of the Services.
- 4.2. will enter into a written agreement with each Sub-Processor, which will include data protection obligations that are at least as stringent as those set forth in this DPA. Voteq remains fully responsible and accountable for the actions and omissions of any Sub-Processor, as if they were its own.
- 4.3. In the event of engaging a new Sub-Processor, Voteq will notify the Customer at least 30 days prior to the Sub-Processor processing any Customer Data. Notifications will be sent to the account email address and/or through the control panel interface. It is the sole responsibility of the Customer to ensure that their account information is accurate and up to date.
- The Customer has the right to object to the use of a Sub-Processor by terminating this Addendum and the Services, in accordance with the Voteq Terms and Conditions. A list of the current Sub-Processors can be found in Annex 1.
Sub-Processing
-
2.1. Under this DPA, Voteq will process Customer Data solely based on documented instructions provided by the Customer (referred to as the “Instruction”), unless obligated by law to process the data without such Instruction. At the time of entering into this DPA, the Instruction is that Voteq may process Customer Data solely for the purpose of delivering the Services as described in the Voteq Ltd Terms & Conditions and any applicable product-specific agreements. Customer has the right to issue additional written instructions, consistent with the terms of this Agreement, with the agreement of both parties. It is the responsibility of the Customer to ensure that individuals providing instructions are authorized to do so.
-
2.2. If Voteq receives an instruction that it considers to be in violation of the GDPR, Voteq will notify the Customer and will not execute the instruction until it is confirmed or modified.
-
2.3. Both parties acknowledge and agree that:
- 2.3.1 Voteq acts as a Data Processor of Customer Data under the GDPR.
- 2.3.2 Customer acts as a Data Controller of Customer Data under the GDPR.
Security
- 3.1. Customer Data shall be regarded as strictly confidential, and Voteq shall not copy, transfer, or otherwise process the Customer Data in any way that conflicts with the Instruction from the Customer, except when required by law.
- 3.2. All employees of Voteq shall be bound by a strict obligation of confidentiality. They are required to treat all Customer Data covered by this DPA as highly confidential and process it only in accordance with the terms of this DPA and the documented instructions provided by the Customer.
Data Breach Notifications
- 4.1. Voteq is authorized by the Customer to engage third-party Sub-Processors for the processing of Customer Data. Voteq will ensure that Sub-Processors have access to Customer Data only to the extent necessary for the provision of the Services.
- 4.2. will enter into a written agreement with each Sub-Processor, which will include data protection obligations that are at least as stringent as those set forth in this DPA. Voteq remains fully responsible and accountable for the actions and omissions of any Sub-Processor, as if they were its own.
- 4.3. In the event of engaging a new Sub-Processor, Voteq will notify the Customer at least 30 days prior to the Sub-Processor processing any Customer Data. Notifications will be sent to the account email address and/or through the control panel interface. It is the sole responsibility of the Customer to ensure that their account information is accurate and up to date.
- The Customer has the right to object to the use of a Sub-Processor by terminating this Addendum and the Services, in accordance with the Voteq Terms and Conditions. A list of the current Sub-Processors can be found in Annex 1.
Data Subject Rights
- 5.1. Voteq is committed to implementing and maintaining appropriate technical and organizational measures to ensure the security of Customer Data. These measures are designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Data, in accordance with the requirements of GDPR Article 32. The specific technical and organizational security measures implemented by Voteq can be found in Annex 2 of this Addendum.
- 5.2. It is important to note that the security measures employed by Voteq may be subject to updates or modifications as technology advances and develops. However, any such updates or modifications will not result in a degradation of the overall security of Customer Data.
- 5.3. Furthermore, Voteq will provide controls within the control panel that enable the Customer to further secure their Customer Data, enhancing the overall security of the data.
Data Transfers
- 6.1. In the event that Voteq becomes aware of a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Data on systems managed or controlled by Voteq, Voteq will promptly notify the Customer. Notifications regarding such incidents will be sent to the email address associated with the Customer’s account. It is the responsibility of the Customer to ensure that the provided email address is accurate and kept up to date within the control panel.
- 6.2. Voteq will make reasonable efforts to investigate and determine the cause of the breach and take necessary measures to prevent similar breaches from occurring in the future.
- 6.3. It is important to note that notifications of data breaches will only include incidents that actually compromise the security of Customer Data. Unsuccessful attempts or activities, such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks that do not pose a threat to the security of Customer Data, will not be included in the Data Breach Notifications.
7. Data Subject Rights
- 7.1. If Voteq receives a request directly from a Data Subject to exercise their rights regarding Customer Data, Voteq will promptly forward the request to the Customer. It is then the responsibility of the Customer to respond to the request within the timeframes specified in the GDPR.
- 7.2. Voteq will provide assistance to the Customer in fulfilling their obligations to respond to such requests by data subjects. This assistance may include providing controls within the control panel that can help the Customer comply with the requirements and commitments outlined in the GDPR.
8. Data Transfers
- 8.1. As mentioned in the privacy policy, Voteq stores and processes data in secure data centers located within the European Economic Area (EEA). However, there may be instances where data needs to be transferred and processed outside the EEA, particularly when Sub-Processors maintain their own data processing operations in other countries. By using the services provided by Voteq, the Customer agrees to the transfer, storage, or processing of their data outside the EEA.
- 8.2. Voteq assures that it will take all reasonable steps necessary to ensure that Customer Data is treated securely and in compliance with the applicable Data Protection Laws, including implementing appropriate safeguards and contractual agreements with Sub-Processors to protect the data during such transfers and processing activities.
9. Compliance and Audit Rights
- 9.1. Under the terms of the Data Processing Agreement (DPA), Voteq agrees to maintain records of its security standards and provide the necessary information to demonstrate compliance with the agreement. Upon written request by the Customer, Voteq will make the relevant information available for audit or inspection purposes, with reasonable prior notice of at least 30 days. Audits or inspections should not be conducted more than once in a 12-month period, unless exceptional circumstances arise. If Voteq refuses a valid audit or inspection request, the Customer retains the right to terminate the DPA and associated services.
| Stripe | Payment Gateway |
| Sage / Xero | Accounting & Government Responsibilities |
| Slack | Internal communication of support issues/service incidents. |
| Google: including Adwords, Google Analytics, Youtube, Drive, Data Studio, Google My Business. | Site analytics, targeting and exclusion from PPC advertising, purchasing data. Reporting on anonymised data. |
| Facebook, Instagram and Twitter. | Targeting and exclusion from PPC advertising |
| Mailchimp | Sending email and email analytics. Signups for newsletters. |
| Â 20i | Â Datacenter and Accessibility provider. |
10. Return or Deletion of Data
- 10.1. Upon termination of the Data Processing Agreement or the associated services in accordance with Voteq’s Terms & Conditions, Voteq will retain Customer Data only for the duration necessary to fulfill the purposes for which it was collected. Unless otherwise required by law, all Customer Data will be deleted. In cases where Customer Data is archived on backup systems, Voteq will securely isolate and protect it from any further processing.
11. Limitation of Liability
- 11.1. The liability of each party under this addendum is subject to the limitation of liability as outlined in Voteq’s Terms & Conditions. It is clarified that Voteq will not be held liable for any losses or damages incurred by the Customer if the Customer is found to be using the Services in violation of the Terms & Conditions, irrespective of whether Voteq terminates or suspends the account due to such violation.
12. Annex 1 - Sub-Processors
| Worldpay | Payment Gateway |
| MasterCard Payment Gateway Services | Accounting & Government Responsibilities |
| Nominet | Internal communication of support issues/service incidents. |
| Tucows (OpenSRS) | Site analytics, targeting and exclusion from PPC advertising, purchasing data. Reporting on anonymised data. |
| GeoTrust (Symantec) | Targeting and exclusion from PPC advertising |
| Mailchimp | Sending email and email analytics. Signups for newsletters. |
| Â 20i | Â Datacenter and Accessibility provider. |
13. Annex 2 - Security Measures
- Available upon request.
Are you in need of some help?
We have a lot of documents and they can get a little confusing no matter how much we try to keep everything nice and simple. Please get in touch if you require some assistance.