Last updated · January 16, 2026
For Enterprise Customers: To execute this DPA, please contact legal@5eintel.com with your company details.
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other agreement (“Agreement”) between 5E Intel LLC (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) for the provision of interview and survey services.
1. Definitions
In this DPA, the following terms have the meanings set out below:
- “Controller” means the entity that determines the purposes and means of processing Personal Data (you, the customer).
- “Processor” means the entity that processes Personal Data on behalf of the Controller (5E Intel LLC).
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Data Subject” means the individual to whom Personal Data relates.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Protection Laws” means all applicable laws relating to data protection and privacy, including the GDPR, CCPA, and UK GDPR.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
- “UK GDPR” means the GDPR as incorporated into UK law by the Data Protection Act 2018.
- “SCCs” means the Standard Contractual Clauses for international data transfers adopted by the European Commission.
2. Scope and Purpose of Processing
2.1 Scope
This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services described in the Agreement.
2.2 Purpose
The Processor shall process Personal Data only for the following purposes:
- Conducting interviews and surveys as configured by the Controller
- Recording and transcribing interview sessions when enabled
- Generating analysis and insights from responses
- Providing the Services as described in the Agreement
- Complying with legal obligations
2.3 Categories of Data Subjects
- Interview respondents and survey participants
- Job candidates (when used for hiring)
- Research participants
- Controller’s employees and representatives
2.4 Types of Personal Data
- Contact information (name, email address)
- Interview and survey responses
- Audio and video recordings
- Transcripts of recorded sessions
- Demographic information (if collected)
- Device and usage information
3. Processor Obligations
The Processor shall:
3.1 Lawful Processing
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Immediately inform the Controller if any instruction infringes Data Protection Laws
- Not process Personal Data for any purpose other than those specified in this DPA
3.2 Confidentiality
- Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations
- Not disclose Personal Data to third parties except as permitted by this DPA or as required by law
3.3 Security
- Implement and maintain appropriate technical and organizational measures to protect Personal Data (see Annex C)
- Regularly test, assess, and evaluate the effectiveness of security measures
- Assist the Controller in ensuring compliance with security obligations under Data Protection Laws
4. Sub-processor Management
4.1 Authorization
The Controller provides general authorization for the Processor to engage Sub-processors, subject to the conditions in this section.
4.2 Sub-processor Requirements
Before engaging any Sub-processor, the Processor shall:
- Enter into a written agreement with the Sub-processor imposing data protection obligations substantially similar to those in this DPA
- Conduct due diligence to ensure the Sub-processor can provide sufficient guarantees
- Remain fully liable for the acts and omissions of its Sub-processors
4.3 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|
| Cloud Infrastructure Provider | Hosting, data storage, computing | United States |
| OpenAI | AI processing, transcription, analysis | United States |
| Stripe | Payment processing | United States |
| Email Service Provider | Transactional email delivery | United States |
4.4 Changes to Sub-processors
The Processor shall notify the Controller at least 30 days before adding or replacing any Sub-processor. The Controller may object to such changes within 14 days of notification.
5. Data Subject Rights Assistance
The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:
- Right of Access: Provide copies of Personal Data upon request
- Right to Rectification: Correct inaccurate Personal Data
- Right to Erasure: Delete Personal Data (“right to be forgotten”)
- Right to Restriction: Limit processing of Personal Data
- Right to Portability: Provide Personal Data in a structured, machine-readable format
- Right to Object: Cease processing based on legitimate interests
The Processor shall respond to Controller requests for assistance within 10 business days.
6. Security Measures
The Processor implements the technical and organizational measures described in Annex C to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
7. Data Breach Notification
7.1 Notification Timeline
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach.
7.2 Notification Content
The notification shall include, to the extent possible:
- A description of the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records affected
- Name and contact details of the Processor’s data protection contact
- A description of the likely consequences of the breach
- A description of measures taken or proposed to address the breach and mitigate its effects
7.3 Cooperation
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.
8. Audit Rights
8.1 Information Access
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Data Protection Laws.
8.2 Audit Procedures
The Controller may conduct audits, including inspections, subject to the following conditions:
- Providing at least 30 days’ written notice
- Conducting audits during normal business hours
- Ensuring auditors are bound by confidentiality obligations
- Not unreasonably interfering with the Processor’s business operations
- Bearing the costs of the audit
8.3 Third-Party Audits
The Processor may satisfy audit requests by providing:
- SOC 2 Type II reports (when available)
- Other relevant third-party certifications or audit reports
- Completed security questionnaires
9. Data Return and Deletion on Termination
9.1 Upon Termination
Upon termination of the Agreement, the Processor shall, at the Controller’s choice:
- Return: Provide the Controller with all Personal Data in a commonly used, machine-readable format; or
- Delete: Securely delete all Personal Data and certify such deletion in writing
9.2 Timeline
The Processor shall complete return or deletion within 30 days of termination, unless a longer period is required by applicable law.
9.3 Backup Retention
Personal Data may be retained in encrypted backups for up to 90 days after deletion from primary systems, after which it will be permanently destroyed.
10. Liability and Indemnification
10.1 Liability
Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.
10.2 Indemnification
Each party shall indemnify the other against any costs, claims, damages, or expenses arising from the indemnifying party’s breach of this DPA or Data Protection Laws.
Annex A: EU Standard Contractual Clauses
For transfers of Personal Data from the European Economic Area (EEA) to countries not recognized as providing adequate protection, the parties agree to be bound by the EU Standard Contractual Clauses (SCCs) adopted by European Commission Decision 2021/914.
The SCCs are incorporated by reference and available at: European Commission SCCs
Module Selection: Module Two (Controller to Processor) applies.
Annex B: UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom to countries not recognized as providing adequate protection, the parties agree to be bound by the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner’s Office.
The IDTA is incorporated by reference and supplements the SCCs for UK data transfers.
Annex C: Technical and Organizational Measures
The Processor implements the following security measures:
C.1 Access Controls
- Role-based access control (RBAC)
- Unique user identification and authentication
- Strong password policies
- Automatic session timeout
- Principle of least privilege
C.2 Encryption
- TLS 1.2+ encryption for data in transit
- AES-256 encryption for data at rest
- Encrypted database connections
- Secure key management
C.3 Network Security
- Firewall protection
- Intrusion detection and prevention
- DDoS mitigation
- Network segmentation
C.4 Data Protection
- Regular automated backups
- Point-in-time recovery capability
- Data integrity verification
- Secure data disposal procedures
C.5 Incident Response
- Documented incident response procedures
- 24/7 security monitoring
- Regular security assessments
- Vulnerability management program
C.6 Personnel Security
- Background checks for employees with data access
- Confidentiality agreements
- Security awareness training
- Access revocation upon termination
Contact
For DPA execution: legal@5eintel.com · 5E Intel LLC, United States
Data protection contact: privacy@5eintel.com
Related
