Last updated: May 19, 2026
Data Processing Agreement
This DPA describes processor obligations for respondent and campaign data processed on behalf of business customers.
Agreement
This Data Processing Agreement supplements the Service Terms for business customers where Pre-Assessment.com processes personal data on behalf of the customer. Contact [email protected] with DPA questions.
Roles and scope
For personal data submitted by respondents through a customer campaign, the customer is generally the controller/business and Pre-Assessment.com is the processor/service provider. For account, billing, website, support, security, and operational data that we process for our own purposes, Pre-Assessment.com may be an independent controller/business as described in the Privacy Policy.
This DPA applies to customer personal data processed by Pre-Assessment.com to provide the service under the Service Terms or an order form.
Processing instructions
We will process customer personal data only on documented instructions from the customer, including instructions in the Service Terms, order forms, campaign configuration, product settings, support requests, and this DPA, unless applicable law requires otherwise.
If we believe an instruction violates applicable data protection law, we will inform the customer unless prohibited by law.
Processing details
| Item | Description |
|---|---|
| Subject matter | Hosted guided pre-assessment and intake service for customer campaigns. |
| Duration | For the subscription term and any post-termination retention, deletion, or transition period. |
| Nature and purpose | Collecting responses, adapting questions, extracting structured lead data, verifying contact channels, sending return links, storing sessions, delivering leads, support, security, analytics, and service improvement. |
| Categories of data subjects | Respondents/leads, customer account users, customer staff, business contacts, support requesters. |
| Categories of personal data | Contact details, quiz responses, messages, qualification fields, verification status, session identifiers, device/browser metadata, IP address, uploaded files if enabled, account data, usage logs. |
| Sensitive data | Prohibited unless expressly enabled under a separate written agreement and lawful basis. |
| Customer obligations | Provide notices, establish legal bases, obtain consents, configure lawful campaigns, answer respondent rights requests, and avoid prohibited data. |
| Processor obligations | Process according to instructions, protect data, support reasonable assistance, manage subprocessors, and delete or return data as described in this DPA. |
Confidentiality and security
We will ensure personnel authorized to process customer personal data are bound by confidentiality obligations. We will maintain reasonable administrative, technical, and organizational measures designed to protect customer personal data against unauthorized access, loss, misuse, alteration, and disclosure.
Additional security commitments, certifications, encryption details, backup practices, or breach-notification timelines apply only if expressly stated in a separate written agreement or security exhibit.
Subprocessors
Customer authorizes Pre-Assessment.com to use subprocessors to provide the service. We will require subprocessors to process personal data only to provide services to us and to maintain appropriate confidentiality and security safeguards. AI subprocessors are not permitted to use submitted customer or respondent data to train their general models.
Subprocessor categories include cloud hosting and infrastructure, database and file storage, email delivery, SMS/phone verification, AI processing, security and abuse prevention, logging and monitoring, customer support, payment processing, and analytics. We may provide additional subprocessor details through the service, an order form, or a maintained subprocessor notice process.
Assistance with rights, impact assessments, and incidents
Taking into account the nature of processing and information available to us, we will provide reasonable assistance for data subject requests, security incidents, data protection impact assessments, regulator consultations, and customer compliance obligations.
Customers remain responsible for determining whether a personal data breach notification is required and for communicating with respondents, regulators, or other parties unless law requires us to do so.
International transfers
Customer personal data may be processed in the United States and other countries where we or our subprocessors operate. Where required, the parties will use appropriate transfer safeguards, such as standard contractual clauses, UK addenda, or other lawful mechanisms.
Return, deletion, and audit
At the end of the service, we will delete or anonymize customer personal data within a commercially reasonable period unless the customer exports it first or law, security, backup, dispute, fraud-prevention, or compliance needs require longer retention.
Upon reasonable request, we will provide information necessary to demonstrate compliance with this DPA. Any audits should be reasonable, protect confidential information, avoid disruption, and rely first on security documentation or third-party reports if available.
Service provider restrictions
Where U.S. state privacy laws apply and customer is a business/controller, Pre-Assessment.com will process customer personal data as a service provider/processor and will not sell or share it for cross-context behavioral advertising, retain or use it outside the business purpose of providing the service, or combine it with other personal information except as permitted by law and the customer’s instructions.