Data Processing Agreement Instructions

Last updated: November 17, 2023

The data processing agreement (“DPA”) is a legally binding contract that sets forth the data protection obligations and rights involved in data processing. A DPA is typically entered into between a data controller (in this case, an EU/UK customer of Sawtooth Software or an EU/UK user who uses a free version of our software or application) and a data processor, which could be a service provider (in this case, Sawtooth Software).

A DPA is required under EU/UK General Data Protection Regulations (GDPR). It helps both the data controller and data processor gain a clear understanding of personal data processing, transparency, and accountability.

Sawtooth Software’s DPA contains the modernized Standard Contractual Clauses (SCCs) issued on June 7, 2021, by the European Commission, which has been endorsed by the UK and Switzerland. Our DPA also includes the International Data Transfer Agreement issued on March 21, 2022, by the UK Information Commissioner’s Office (UK ICO).

For more details on when it is necessary to have a DPA or SCCs in place, please see our Frequently Asked Questions page.

If you are a customer or user who would like a DPA in place, we provide a partially prefilled DPA for your convenience. This DPA should be updated based on the specific data required by your research/survey. Please fill out the few yellow highlighted areas in the DPA before you return this agreement back to your Account Executive and proceed with the execution of the agreement. THIS DPA IS NOT VALID UNLESS IT HAS BEEN FULLY EXECUTED BY AUTHORIZED REPRESENTATIVES OF THE DATA CONTROLLER AND THE DATA PROCESSOR, AND BOTH PARTIES MUST RECEIVE A COPY OF THE FULLY EXECUTED DPA.

Please contact sales@sawtoothsoftware.com if you have any questions or concerns about this DPA.

For additional guidance on DPA or SCCs, please consult your cross-border data protection or privacy counsel, the UK ICO, or the Supervisory Authority of your country (contact details of national data protection authorities in the EEA is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en).

Disclaimer: We do not offer/provide legal advice, and we are not associated to any regulatory authorities. Hence, we strongly encourage you to seek advice from a Data Protection Officer, Compliance Officer, and/or General Counsel at your company/academic institute, a Supervisory Authority in your country, or an outside counsel who specializes in cross-border data protection/transfer or privacy law. Please understand that the purpose of the Q&As is to help you become familiar with General Data Protection Regulation (GDPR) and see the importance of GDPR in relation to your research/survey project.