Standard Contractual Clauses

We have drafted this DPA to include all possible SCC configurations. Not all of them may apply to you. For greater clarity:  

California Consumer Privacy Act (CCPA) 

We have updated this DPA to reflect the California Privacy Rights Act (CPRA) amendments to the CCPA. We do not accept any Customer modifications or amendments to this DPA. 

This Momentive Data Processing Agreement (“DPA”) forms part of your Agreement with Momentive and contains certain terms relating to data protection, privacy, and security in accordance with the Data Protection Legislation, where applicable. In the event (and to the extent only) that there is a conflict between the different Data Protection Legislation laws and regulations, the parties shall comply with the more onerous requirements or higher standard which shall, in the event of a dispute in that regard, be determined solely by Momentive. 

This DPA is between the Customer and the applicable Momentive entity determined as follows: 

(i) for Customers located in any country other than the United States, Momentive Europe UC shall be the contracting entity; 

(ii)  for Customers located inside the United States, Momentive Inc. shall be the contracting entity. 

This is the latest version of the DPA (dated 1 January 2023). 

In this DPA the following expressions shall, unless the context otherwise requires, have the following meanings: 

“Agreement” means any agreement between Momentive Inc. or Momentive Europe and a customer for the Services. Such an agreement may have various titles, such as “Order Form”, “Sales Order”, “Terms of Use” or “Master or Governing Services Agreement”. 

“Article 28” means article 28 of GDPR and the UK GDPR as applicable to the processing of Customer Personal Data. 

“Customer” or “you” means the customer that is identified on, and/or is a party to, the Agreement. 

“Customer Data” means all data (including but not limited to Customer Personal Data) that is provided to Momentive by, or on behalf of, Customer through Customer’s use of the Services, and any data that third parties submit to Customer through the Services. 

“Customer Personal Data” means all Personal Data that is submitted to the Services by or to Customer, processed by Momentive for the purposes of delivering the Services to the Customer including but not limited to the personal data set out in Appendix 2 to this DPA. 

“Data Protection Legislation” means: 
(i) the General Data Protection Regulation (Regulation (EU) 2016/679)("GDPR") and all other applicable EU, EEA or European single market Member State laws or regulations or any update, amendment or replacement of same that applies to processing of personal data under the Agreement;

(ii) the Swiss Federal Act on Data Protection Act ("FADP"), or the new Federal Act on Data Protection Act that shall come into force on January 1, 2023 ("nFADP");

(iii) all U.S. laws and regulations that apply to processing of personal data under the Agreement including but not limited to the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 - 1798.199)("CCPA"); 

(iv) all laws and regulations that apply to processing of personal data under the Agreement from time to time in place in the United Kingdom (including the UK GDPR); and

(v) the Personal Information Protection and Electronic Documents Act ("PIPEDA"), or any update, amendment or replacement of same that applies to processing of personal data in Canada.

The terms "controller”, "data protection impact assessment", “process”, “processing”, “processor”, "supervisory authority" have the same meanings as in the GDPR or the UK GDPR.

“Momentive” or “us” means in the case of Customers in the United States, Momentive Inc. and, in the case of customers outside of the United States, Momentive Europe. 

“Momentive Europe” means Momentive Europe UC, an Irish company, located at 2 Shelbourne Buildings, Second Floor, Shelbourne Road, Dublin 4, Ireland. 

“Momentive Inc." means Momentive Inc., a Delaware corporation located at One Curiosity Way, San Mateo, CA 94403, United States.  

“Momentive Privacy Notice” means the Momentive Privacy Notice at https://www.surveymonkey.com/mp/legal/privacy/.

"Personal Data" means information relating to a living individual who is, or can be, reasonably identified from information, either alone or in conjunction with other information (a "Data Subject").

“Services” means the services ordered by Customer from Momentive under the Agreement. 

“SCCs” means the “Standard Contractual Clauses” annexed to the European Commission Decision of: i) 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR or ii) (until such times as Momentive has entered into the Standard Contractual Clauses outlined at i)), the 5 February 2010 for the Transfer of Customer Personal Data to Processors established in Third Countries under Directive 95/46/EC). Where the FADP/nFADP applies, all references made in the SCCs shall be understood as corresponding references to the FADP/nFADP. All terms used in this context shall therefore receive the definition that is provided in the FADP/nFADP.

"UK Addendum" means (i) the template addendum issued by the UK Information Commissioner's Office and laid before the UK Parliament in accordance with section 119A of the UK Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of the Mandatory Clauses from time to time. Where the template addendum referred to in this definition means the document entitled: International Data Transfer Addendum to the EU Commission Standard Contractual, version B1.0, in force 21 March 2022; or (ii) (until such time as Momentive has entered into the UK Addendum outlined at (i)), European Commission Decision of the 5 February 2010 for the transfer of personal data to processors established in third countries under Directive 95/46/EC.

"UK GDPR" means the EU GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and 2020 respectively and any legislation in force in the United Kingdom from time to time that subsequently amends or replaces the UK GDPR.

In the provision of the Services to the Customer, Momentive is a processor of Customer Personal Data for the purposes of GDPR. With respect to CCPA, as applicable, Momentive and Customer hereby agree that Momentive is a "Service Provider" and Customer is the "Business" with respect to Personal Information (as defined under the CCPA).

This DPA shall remain in force until such time as the Agreement is terminated (in accordance with its terms) or expires. 

Customer shall ensure and hereby warrants and represents that it is entitled to transfer the Customer Data to Momentive so that Momentive may lawfully process and transfer the Personal Data in accordance with this DPA. Customer shall ensure that any relevant data subjects have been informed of such use, processing, and transfer as required by the Data Protection Legislation and that lawful consents have been obtained (where appropriate). Customer shall ensure that any Personal Data processed or transferred to Momentive will be done lawfully and properly.

Where Momentive is processing Customer Personal Data for Customer as a processor, Momentive will:

(a) only do so on documented Customer instructions and in accordance with the Data Protection Legislation, including with regard to transfers of Personal Data to other jurisdictions or an international organization, and the parties agree that the Agreement constitutes such documented instructions of the Customer to Momentive to process Customer Personal Data (including to locations outside of the EEA) along with other reasonable instructions provided by the Customer to Momentive (e.g. via email) where such instructions are consistent with the Agreement; 

(b) ensure that all Momentive personnel involved in the processing of Customer Personal Data are subject to confidentiality obligations in respect of the Personal Data; 

(c) make available information necessary for Customer to demonstrate compliance with its Article 28 obligations (if applicable to the Customer) where such information is held by Momentive and is not otherwise available to Customer through its account and user areas or on Momentive websites, provided that Customer provides Momentive with at least 14 days' written notice of such an information request;

(d) co-operate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a data subject afforded to data subjects by Data Protection Legislation in respect of Personal Data processed by Momentive in providing the Services; 

(e) provide assistance, where necessary, with requests received directly from a Data Subject in respect of a Data Subject's Personal Data submitted through the Services;

(f) upon deletion by you, not retain Customer Personal Data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes subject to our retention policies; 

(g) cooperate with any supervisory authority or any replacement or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under Data Protection Legislation) in the performance of such supervisory authority's tasks where required; 

(h) assist Customer as reasonably required where Customer: 

(i) conducts a data protection impact assessment involving the Services (which may include by provision of documentation to allow customer to conduct their own assessment); or

(ii) is required to notify a Security Incident (as defined below) to a supervisory authority or a relevant data subject

(i) will not (a) sell or share any Personal Information (as defined under the CCPA) for a commercial purpose, or (b) collect, retain, use, disclose, or otherwise process Personal Information other than (1) to fulfill its obligations to Customer under the Agreement, (2) on the Customer's behalf, (3) for the Customer's operational purposes, (4) for Momentive's internal use as permitted by Data Protection Legislation, (5) to detect data security incidents or protect against fraudulent or illegal activity, or (6) as otherwise permitted under Data Protection Legislation; 

(j) Where required by Data Protection Legislation, Momentive will inform Customer if it comes to its attention that any instructions received by Customer infringe the provisions of Data Protection Legislation. Notwithstanding the foregoing, Momentive shall have no obligation to monitor or review the lawfulness of any instruction received from the Customer; and

(k) Momentive certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them. 

6.1 Subprocessing. Customer provides a general authorization to Momentive to engage onward subprocessors, subject to compliance with the requirements in this Section 6.

6.2 Subprocessor List. Momentive will, subject to the confidentiality provisions of the Agreement or otherwise imposed by Momentive:

(a) make available to Customer a list of the Momentive subcontractors who are involved in processing or subprocessing Customer Personal Data in connection with the provision of the Services (“Subprocessors”), together with a description of the nature of services provided by each Subprocessor (“Subprocessor List”). A copy of this Subprocessor List may be requested here; 

(b) ensure that all Subprocessors on the Subprocessor List are bound by contractual terms that are in all material respects no less onerous than those contained in this DPA; and 

(c) be liable for the acts and omissions of its Subprocessors to the same extent Momentive would be liable if performing the services of each of those Subprocessors directly under the terms of this DPA, except as otherwise set forth in the Agreement. 

6.3 New / Replacement Subprocessors.  Momentive will provide Customer with written notice of the addition of any new Subprocessor or replacement of an existing Subprocessor at any time during the term of the Agreement (“New Subprocessor Notice”). The Customer will sign up to a mailing list made available by Momentive through which such notices will be delivered by e-mail or alternatively will check on updates to the list here. If Customer has a reasonable basis to object to Momentive’s use of a new or replacement Subprocessor, Customer will notify Momentive promptly in writing and in any event within 30 days after receipt of a New Subprocessor Notice. In the event of such reasonable objection, either Customer or Momentive may terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected-to new Subprocessor (which may, at Momentive's discretion and election, involve termination of the entire Agreement) with immediate effect by providing written notice to the other party. Such termination will be without a right of refund for any fees prepaid by Customer for the period following termination.

7.1 Security Measures. Momentive has, taking into account the state of the art, cost of implementation and the nature, scope, context and purposes of the Services and the level of risk, implemented appropriate technical and organizational measures (in accordance with Appendix 1) to ensure a level of security appropriate to the risk of unauthorized or unlawful processing, accidental loss of and/or damage to Customer Data. At reasonable intervals, Momentive tests and evaluates the effectiveness of these technical and organizational measures for ensuring the security of the processing.

7.2 Security Incident and Breach Notification. If Momentive becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Customer Personal Data (“Security Incident”), Momentive will take reasonable steps to notify Customer without undue delay. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. Any notification of a Security Incident to the Customer does not constitute any acceptance of liability by Momentive.

7.3 Momentive will also reasonably cooperate with Customer with respect to any investigations relating to a Security Incident with preparing any required notices, and provide any information reasonably requested by Customer in relation to any Security Incident. 

8.1 Audits. Where Momentive is processing Customer Personal Data for Customer as a processor (only), the Customer will provide Momentive with at least one month's prior written notice of any audit, which may be conducted by Customer or an independent auditor appointed by Customer (provided that no person conducting the audit shall be, or shall act on behalf of, a competitor of Momentive) (“Auditor”). The scope of an audit will be as follows:

(a) Customer will only be entitled to conduct an audit once per subscription year unless otherwise legally compelled or required by a regulator with established authority over the Customer to perform or facilitate the performance of more than 1 audit in that same year (in which circumstances Customer and Momentive will, in advance of any such audits, agree upon a reasonable reimbursement rate for Momentive's audit expenses).

(b) Momentive agrees, subject to any appropriate and reasonable confidentiality restrictions, to provide evidence of any certifications and compliance standards it maintains and will, on request, make available to Customer an executive summary of Momentive’s most recent annual penetration tests, which summary shall include remedial actions taken by Momentive resulting from such penetration tests. 

(c) The scope of an audit will be limited to Momentive systems, processes, and documentation relevant to the processing and protection of Customer Personal Data, and Auditors will conduct audits subject to any appropriate and reasonable confidentiality restrictions requested by Momentive.

(d) Customer will promptly notify and provide Momentive on a confidential basis with full details regarding any perceived non-compliance or security concerns discovered during the course of an audit.

8.2 The parties agree that, except as otherwise required by order or other binding decree of a supervisory authority or regulator with authority over the Customer, this Section 8 sets out the entire scope of the Customer’s audit rights as against Momentive.

9.1 To the extent applicable, for transfers of Customer Personal Data from the European Economic Area ("EEA"), Switzerland, or the United Kingdom to locations outside the EEA, Switzerland, and the United Kingdom (either directly or via onward transfer) that do not have adequate standards of data protection as determined by the European Commission or relevant Data Protection Legislation, Momentive relies upon:

(a) the SCCs; and

(b) for transfers subject to the UK GDPR, the UK Addendum; or

(c) such other appropriate safeguards, or derogations (to the limited extent appropriate), specified or permitted under the Data Protection Legislation. 

9.2 Where required, the parties hereby enter into the SCCs (a copy of which is accessible here) and the UK Addendum (Appendix 3). The SCCs are incorporated into this Agreement by reference and shall apply as follows: 

(a) where Customer contracts with Momentive Inc. in the United States under the Agreement for Services and is a data controller of Customer Personal Data and through use of the Services is transferring that Customer Personal Data from the EEA to locations which have not been determined to provide adequate levels of protection to Personal Data by the European Commission, Momentive enters into the SCCs as data importer and the Customer enters into the SCCs as data exporter and Module Two only of the SCCs will apply; and/or

(b) where Customer contracts with Momentive Inc. in the United States under the Agreement for Services and is a data processor of Customer Personal Data and through use of the Services is transferring that Customer Personal Data from the EEA to locations which have not been determined to provide adequate levels of protection to Personal Data by the European Commission, Momentive enters into the SCCs as data importer and the Customer enters into the SCCs as data exporter and Module Three only of the SCCs will apply; and/or

(c) where Customer is not a resident of the EEA and contracts with Momentive Europe UC to store Customer Personal Data within the EEA under the Agreement, and is a data controller of Customer Personal Data, and through use of the Services is transferring that Personal Data from the EEA to locations which have not been determined to provide adequate levels of protection to Personal Data by the European Commission, Momentive enters into the SCCs as data exporter and the Customer enters into the SCCs as data importer and Module Four only of the SCCs will apply; and

(d) in Clause 7, the optional docking clause will apply;

(e) in Clause 11, the optional language will not apply;

(f) in Clause 17, the SCCs will be governed by Irish law;

(g) in Clause 18, disputes shall be resolved before the courts of Ireland; and

(h) Annex I and II of the SCCs shall be deemed completed with the information set out in the Agreement and details provided in the Appendices to this DPA.

9.3 For transfers that are protected by the FADP/nFADP, the SCCs shall apply in accordance with Section 9.2 above, except: 

(a) any references in the SCCs to the GDPR shall be interpreted as references to the FADP/nFADP;  

(b) any references to “EU”, “Union”, and “Member State law” shall be interpreted as references to Switzerland and Swiss law; and  

(c ) any references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the relevant data protection authority and courts in Switzerland, unless the SCCs, implemented as described above, cannot be used to lawfully transfer such Customer Personal Data in compliance with the FADP/nFADP, in which case the Swiss SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. For the purposes of the Swiss SCCs, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in the Appendices I and II to this DPA (as appropriate) and the interpretive provisions set out in this Section 9.3 shall apply (as applicable and as required for the purposes of complying with the FADP/nFADP).  

9.4 Upon written request and in accordance with the provisions of the Standard Contractual Clauses or UK Addendum (as applicable), Momentive will provide copies of the Standard Contractual Clauses or UK Addendum that it has entered into with data importers in its capacity as processor to the Customer.

10.1 Liability for data processing. Each party's aggregate liability for any and all claims whether in contract, tort (including negligence), breach of statutory duty, or otherwise arising out of or in connection with this DPA shall be as set out in the Agreement, unless otherwise agreed in writing by the parties.

10.2 Conflict. In the case of conflict or ambiguity between: (i) the terms of this DPA and the terms of the Agreement, with respect to the subject matter of this DPA, the terms of this DPA shall prevail; (ii) the terms of any provision contained in this DPA and any provision contained in the Standard Contractual Clauses, the provision in the Standard Contractual Clauses shall prevail.

10.3 Independent Processing. Customer remains exclusively liable for its own compliance with Data Protection Legislation with respect to any independent collection and processing of personal data unrelated to the Services. Customer will provide its own clear and conspicuous privacy notices that accurately describe how it does this and Momentive will not be liable for any treatment of personal data by Customer in those circumstances. Customer hereby indemnifies Momentive in full for any and all claims or liability arising as a result of such collection and use of personal data by it in those circumstances.

10.4 Entire Agreement. The Agreement (which incorporates this DPA) and any Order Form represent the entire agreement between the parties and it supersedes any other prior or contemporaneous agreements or terms and conditions, written or oral, concerning its subject matter. Each of the parties confirms that it has not relied upon any representations not recorded in the Agreement inducing it to enter into the Agreement.

10.5 Severance. If any provision of this DPA is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of terms will remain in full effect. Nothing in this DPA is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, nor authorize any part to may or enter into any commitments for or on behalf of any other party except as expressly provided herein.

10.6 Electronic Copy. The DPA is delivered as an electronic document.

10.7 Governing Law. This DPA shall be governed by the laws of Ireland and the parties submit to the exclusive jurisdiction of the Irish courts (in relation to all contractual and non-contractual disputes) except in the case of any alleged breach or breach of current or future privacy laws, regulation, standards, regulatory guidance, and self-regulatory guidelines at state or federal level in the United States of America, in which case the laws of the State of California shall govern unless otherwise dictated by law.

Description of the technical and organizational security measures implemented by Momentive 

Momentive will maintain appropriate administrative, physical, and technical safeguards (“Security Safeguards”) for protection of the security, confidentiality and integrity of Personal Data provided to it for provision of the Services to the Customer. 

The Security Safeguards include the following: 

(a) Domain: Organization of Information Security.

(i) Security Roles and Responsibilities. Momentive personnel with access to data are subject to confidentiality obligations.

(ii) Risk Management Program. Momentive performs a risk assessment where appropriate before processing the data.

(b) Domain: Asset Management.

(i) Asset Handling.

(1) Momentive has procedures for disposing of printed materials that contain Customer Data.

(2) Momentive maintains an inventory of all hardware on which Customer Data is stored.

(c) Domain: Human Resources Security.

(i) Security Training.

(1) Momentive informs its personnel about relevant security procedures and their respective roles. Momentive also informs its personnel of possible consequences of breaching the security rules and procedures.

(d) Domain: Physical and Environmental Security.

(i) Physical Access to Facilities. Momentive limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.

(ii) Protection from Disruptions. Momentive uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.

(iii) Component Disposal. Momentive uses industry standard processes to delete Customer Data when it is no longer needed.

(e) Domain: Communications and Operations Management. 

(i) Operational Policy. Momentive maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data. 

(ii) Data Recovery Procedures. 

(1) On a regular and ongoing basis, Momentive creates backup copies of Customer Data from which Customer Data may be recovered in the event of loss of the primary copy. 

(2) Momentive stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located. 

(3) Momentive has specific procedures in place governing access to copies of Customer Data. 

(iii) Malicious Software. Momentive has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.

(iv) Data Beyond Boundaries. 

(1) Momentive encrypts Customer Data that is transmitted over public networks. 

(v) Event Logging.

(1) Momentive logs the use of its data-processing systems. 

(2) Momentive logs access and use of information systems containing Customer Data, registering the access ID, timestamp, and certain relevant activity.

(f) Domain: Information Security Incident Management.

(i) Incident Response Process. 

(1) Momentive maintains an incident response plan.  

(2) Momentive maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and remediation steps, if applicable.

(g) Domain: Business Continuity Management.

(i) Momentive’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original state from before the time it was lost or destroyed.   

(h) Access Control to Processing Areas.  Processes to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the Customer Personal Data are processed or used, to include: 

(i) establishing secure areas; 

(ii) protection and restriction of access paths;

(iii) securing the mobile/cellular telephones;