Effective Date: March 30, 2026

This Data Processing Agreement ("DPA") is entered into between:

• Data Processor: UX Metrics, LLC ("Processor", "we", "us")
• Data Controller: The entity agreeing to these terms ("Controller", "you")

This DPA supplements and forms part of the Terms of Service between Controller and Processor, and reflects the parties' obligations under the EU General Data Protection Regulation (GDPR) Article 28.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only to provide the UX Metrics platform services, including:

• Hosting and maintaining customer accounts
• Storing and processing UX research study data (card sorts, tree tests, surveys, first click tests, five second tests, and preference tests)
• Collecting and storing participant responses
• Sending transactional emails on behalf of the Controller
• Processing payments for subscription services
• Providing AI-powered analysis of study results when requested by the Controller

3. Types of Personal Data Processed

Category	Data Elements
Account data	Name, email address, hashed password, OAuth identifiers
Billing data	Subscription status, payment method (via Stripe — no card numbers stored)
Study data	Research study configurations, cards, tasks, questions, instructions
Participant responses	Anonymous by default; may include names or demographics if configured by the Controller
Usage data	Aggregated activity metrics, session data

4. Categories of Data Subjects

• Platform users: Individuals who create accounts to design and manage UX research studies.
• Study participants: Individuals who voluntarily participate in UX research studies. Participants do not require accounts and are anonymous by default.

5. Processor Obligations

5.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, except where required by applicable law. The Processor shall inform the Controller if, in its opinion, an instruction infringes GDPR or other data protection provisions.

5.2 Confidentiality

The Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• TLS encryption for all data in transit
• AES-256 encryption for all data at rest
• Bcrypt password hashing with strong work factors
• Role-based access controls at the workspace and folder level
• Encrypted session management
• Web Application Firewall (WAF) and DDoS protection via Cloudflare
• SOC-2 compliant application hosting via Render.com

5.4 Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The current list of sub-processors is maintained on our Trust Center. The Processor shall:

• Notify the Controller of any intended changes to sub-processors
• Ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA
• Remain fully liable to the Controller for the performance of each sub-processor's obligations

5.5 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests for access, rectification, erasure, portability, restriction, and objection.

5.6 Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach. The notification shall include the nature of the breach, categories of data affected, approximate number of Data Subjects affected, and measures taken or proposed to address the breach.

5.7 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, and shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide reasonable advance notice of any audit.

6. International Data Transfers

Personal Data may be transferred to and processed in the United States, where our infrastructure is primarily located. For transfers of Personal Data from the EU/EEA to the United States, we rely on:

• The EU-U.S. Data Privacy Framework, where applicable
• Standard Contractual Clauses (SCCs) as approved by the European Commission

The Processor shall ensure that any onward transfers comply with GDPR Chapter V requirements.

7. Data Return and Deletion

Upon termination of services or upon the Controller's request, the Processor shall:

• Return all Personal Data to the Controller in a standard, machine-readable format, or
• Delete all Personal Data and certify such deletion in writing

The Controller may export study data at any time through the platform's built-in export functionality.

8. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the UX Metrics platform. The obligations of the Processor regarding the processing of Personal Data shall survive for as long as the Processor retains Personal Data processed on behalf of the Controller.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws that govern the Terms of Service between the parties. For matters arising under GDPR, the applicable provisions of EU data protection law shall apply.

10. Signatures

By continuing to use the UX Metrics platform, the Controller agrees to the terms of this DPA. If you require a countersigned copy, please contact support@uxmetrics.com.