Data Processing Agreement

Last updated: July 8, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tomorrow Tech Limited ("Moderator1," "Processor," "we," "us") and you ("Customer," "Controller") and governs the processing of personal data in connection with our services.

This DPA is designed to ensure compliance with applicable data protection laws including the General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and the Data Protection Act 2018.

2. Definitions

  • "Controller" means the Customer who determines the purposes and means of processing personal data
  • "Processor" means Moderator1, which processes personal data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Data Subject" means an identifiable natural person whose personal data is processed
  • "Sub-processor" means any third party engaged by the Processor to process personal data

3. Roles and Responsibilities

3.1 Customer Obligations

The Customer shall:

  • Provide Data Subjects with all necessary information about data processing
  • Obtain all necessary consents for lawful processing
  • Ensure that instructions given to the Processor comply with applicable laws
  • Maintain appropriate records of processing activities

3.2 Processor Obligations

Moderator1 shall:

  • Process personal data only for the purposes of the Services and on documented instructions from the Customer
  • Ensure that personnel processing personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to Data Subject requests
  • Delete or return personal data upon termination of services

4. Data Security

Moderator1 implements the following security measures:

  • Access Control: Authentication and authorization protocols to restrict access to authorized personnel
  • Encryption: Data encrypted in transit (HTTPS/TLS) and at rest (256-bit AES)
  • Just-in-Time Access: Staff access to customer data is granted only when necessary
  • Employee Vetting: Background checks for employees handling personal data
  • Security Assessments: Regular security audits and vulnerability testing
  • Incident Response: Documented procedures for handling security incidents

5. Data Breach Notification

In the event of a personal data breach, Moderator1 shall:

  • Notify the Customer within 48 hours of becoming aware of the breach
  • Provide sufficient information to enable the Customer to meet its notification obligations
  • Cooperate with the Customer in investigating and mitigating the breach
  • Document the breach and remedial actions taken

6. Sub-processors

Moderator1 uses the following categories of sub-processors:

  • AWS (Amazon Web Services): Cloud hosting and infrastructure
  • Google Cloud: AI and machine learning services
  • OpenAI: AI language processing
  • Stripe: Payment processing

We will provide Customers with at least 7 days' notice before engaging new sub-processors. Customers may object to new sub-processors by contacting us within this period.

7. Data Subject Rights

Moderator1 shall assist the Customer in fulfilling its obligations to respond to Data Subject requests, including requests for:

  • Access to personal data
  • Rectification of inaccurate data
  • Erasure of personal data
  • Restriction of processing
  • Data portability
  • Objection to processing

8. Data Protection Impact Assessments

Moderator1 shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) where required by applicable law.

9. International Transfers

Where personal data is transferred outside the EEA or UK, Moderator1 ensures that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10. Audit Rights

Upon reasonable request and subject to confidentiality obligations, Moderator1 shall make available to the Customer information necessary to demonstrate compliance with this DPA.

11. Termination

Upon termination of services, Moderator1 shall, at the Customer's choice, delete or return all personal data and delete existing copies, unless retention is required by law.

12. Contact

For questions about this DPA or data processing practices:

Email: privacy@moderator1.com
Address: 43 Manchester Street, London W1U 7LP, United Kingdom

Moderator1
Add the depth of an interview to every survey you send out.
© 2025 Moderator1 All Rights Reserved
Terms & Conditions
Privacy Policy
Data Processing Agreement
Contact