List of Parties
Data Exporter
Customer (as defined in the General Terms and Conditions or other negotiated agreement between the parties (the “Agreement”))
Data Importer
UserTesting (as defined in the Agreement) and/or any of its Affiliates that may receive data from Customer
Applicability/Roles
For exports from the European Economic Area:
- For a transfer or disclosure of, or other type of access to personal data from the UK, Switzerland, or from the EEA, in each case to a person or entity in a third country or to an international organization which does not ensure an adequate level of protection or is not governed by an existing appropriate safeguard (e.g. binding corporate rules) in accordance with the relevant data protection laws (each an “International Transfer”) in respect of Shared Personal Data between the parties, Module 1 of the SCC approved by the European Commission in Decision C(2021) 3972 (“EU SCC”).
- For International Transfers where Customer (as a Data Controller) transfers Customer Personal Data to UserTesting (as a Data Processor), Module 2 of the EU SCC that correspond to the parties’ roles as Processor or Controller in the context of the International Transfer.
- For International Transfers where Customer (as a Data Processor) transfers Customer Data to UserTesting (as a Data Sub-Processor), Module 3 of the EU SCC that correspond to the parties’ roles as Processor or Controller in the context of the International Transfer.
For exports from the United Kingdom (“UK”):
- For International Transfers that occur prior to 21 March 2022:
When the exporter is a Controller and the importer is a Processor, the SCC approved by the European Commission in Decision C(2010) 593, as amended, updated, or replaced by the UK Government from time to time (“2010 UK SCC”). - For International Transfers that occur on or after 21 March 2022:
The modules of the EU SCC that correspond to the parties’ roles as Processor or Controller in the context of the International Transfer, as such EU SCC are amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B.10 (21 March, 2022), issued under S1198A(1) of Data Protection Act 2018 (“UK Addendum”), each of which shall be completed as set forth in the UK SCC section below.
For exports from Switzerland:
- The modules of the EU SCC that correspond to ther parties’ roles as Processor or Controller in the context of the International Transfer, each of which shall be completed as set forth in the EU SCC section below, as amended as set forth in the Swiss SCC section below. For the avoidance of doubt, nothing in these amendments is intended to decrease the level of protection to be provided by the EU SCC.
EU SCC
- The parties select Option 2 (General Written Authorisation) in Clause 9 (Use of Sub-Processors), in relevant modules. UserTesting maintains an up-to-date list of Sub-Processors for each Platform at https://www.usertesting.com/privacy-center. The time period within and process by which an importer must inform the exporter of intended changes to Sub-Processors is that set forth in the Data Processing Agreement between the parties (hereinafter, the “DPA”).
- The optional clause in Clause 7 (Docking) of the EU SCC does not apply.
- The optional clause in Clause 11(a) (Redress) of the EU SCC does not apply.
- The parties select Option 1 in Clause 17 (Governing Law) of the EU SCC, in relevant modules, and agree to the law and courts of Ireland for purposes of Clause 17 and Clause 18 (Choice of Forum and Jurisdiction).
- For purposes of Annex I of the EU SCC:
The description of Processing in the DPA applies to International Transfers, unless otherwise specified.
Personal Data may be transferred on a continuous basis. - The Irish DPA is the competent Supervisory Authority. For purposes of Annex II of the EU SCC, the technical and organizational measures are set forth at https://www.usertesting.com/privacy-center/data-processing-agreement
UK SCC
For International Transfers under the 2004 UK SCC or 2010 UK SCC:
- The governing law is that of England and Wales for purposes of Clause 9 (Governing Law) and 11 (Sub-Processing) of the 2010 UK SCC.
- For purposes of Appendix 1 of the 2010 UK SCC, the description of Processing in the DPA applies to International Transfers, unless otherwise specified.
- For purposes of Appendix 2 of the 2010 UK SCC, the technical and organizational measures are set forth at https://www.usertesting.com/sites/default/files/2023-09/UserTesting%20TOMs.pdf and the optional paragraph on liabilities does not apply.
- The parties select option (i) (the data protection laws of the country in which the data exporter is established) in Clause II(h) of the 2004 UK SCC.
- For purposes of Annex B of the 2004 UK SCC:
- The description of Processing in the DPA applies to International Transfers, unless otherwise specified.
- The parties may disclose transferred Personal Data to recipients listed in the parties’ respective privacy notices.
- Registration information will be made available upon request.
- The illustrative commercial clauses do not apply.
For International Transfers under the EU SCC, as modified by the UK Addendum:
- Table 1 shall be completed as set forth in the DPA and the Agreements.
- Table 2: The selection shall be “the Approved EU SCC, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCC brought into effect for the purposes of this Addendum” and the table shall be completed as follows:
- The operative modules shall be deemed completed in a manner corresponding with the parties’ roles as set forth in the DPA.
- Clause 7 (Docking Clause) does not apply.
- Clause 11 (Option) does not apply.
- Clause 9a (Prior Authorisation or General Authorisation) shall be “General Authorisation,” and the time period and process by which this is done is, “as set forth in the DPA.”
- The question, “is personal data received from the Importer combined with personal data collected by the Exporter” shall be “no,” unless otherwise specified in the DPA. - Table 3 shall be completed as follows:
- Annex I.A: “The parties as set forth in the Agreement”
- Annex I.B: “The Description of Processing set forth in the DPA”
- Annex II: “The technical and organizational measures are set forth at https://www.usertesting.com/sites/default/files/2023-09/UserTesting%20TOMs.pdf"
- Annex III: “The relevant list(s) of Sub-processors are as set forth at https://www.usertesting.com/privacy-center” - Table 4: The selection shall be “Importer.”
Swiss SCC
- References to GDPR shall be interpreted to also include references to the Swiss Federal Act on Data Protection (“FADP”)
- Clause 13 and Annex I.C. of the EU SCC shall include the Federal Data Protection and Information Commissioner as an additional competent Supervisory Authority.
- In the event that the International Transfer is exclusively subject to the FADP, Clause 17 of the EU SCC shall include Swiss law as the governing law; and
In Clause 18 of the EU SCC, references to “member state” shall also include references to Switzerland in order to ensure that Swiss Data Subjects may exercise their rights under FADP.