1. Parties and purpose
Controller: the customer who has subscribed to ProdForm. Processor: ProdForm. The agreement governs how ProdForm processes personal data about participants on behalf of the customer, and is subject to GDPR Art. 28.
2. Nature of processing and data categories
Purpose: product testing, participant management, data collection and reporting on behalf of the customer. Data categories: participant test responses, optional demographic fields, participant code or email if the test requires identification, and technical metadata (IP, browser, device type). Processing continues for as long as the customer has an active subscription, and ends on termination as set out in section 5.
3. Subprocessors
ProdForm uses sub-processors to deliver the service. An up-to-date list including purpose, data location and data type is available at prodform.com/subprocessors and is updated when changes occur. All sub-processors have signed data processing agreements. By accepting this agreement, the customer consents to the sub-processors listed on that page. New sub-processors are notified at least 30 days in advance via email to the customer's contact address, and the customer may object in writing within the notice period.
4. Security
ProdForm uses encryption in transit (TLS 1.3) and at rest (AES-256). Internal access to personal data is role-based and logged. Multi-tenant isolation is enforced via Row Level Security in the database. All employees with access to customer data have signed confidentiality agreements. Technical and organisational measures are reviewed continuously against the risk of the processing (GDPR Art. 32).
5. Deletion and return of data
On termination of the subscription, the customer may export data for 30 days. After that, Customer Data is deleted within 30 days — backups included — unless the law requires us to retain it. In active tests, participant responses with personal identifiers are anonymised 24 months after the test is closed, so the link between answers and person is permanently severed. Anonymised aggregate data may be retained without time limit.
6. Assistance to the controller
ProdForm assists the customer in fulfilling GDPR obligations, including responding to participant requests for access, rectification and erasure (Art. 15-22), conducting data protection impact assessments (DPIAs, Art. 35) and notifying the Norwegian Data Protection Authority of breaches. The customer is primarily responsible for responding to participant requests; self-service tools in the platform cover access and deletion for participants with email association.
7. Breach notification
If ProdForm becomes aware of a personal data breach affecting customer data, the customer is notified without undue delay and no later than within 72 hours. The notice describes the nature, scope, measures taken and a contact point for further information, in accordance with GDPR Art. 33.
8. Transfers outside the EEA
Primary data is stored in the EU. Sentry and Anthropic may process portions of the data outside the EEA. Transfers rely on the EU Commission's Standard Contractual Clauses (SCCs) supplemented with technical measures. ProdForm reviews transfers continuously against current case law.
9. Audit and documentation
The customer may request documentation of security measures, certifications and risk assessments. On-site inspection may be arranged in writing with reasonable notice, normally once a year, and is funded by the customer. ProdForm maintains records of processing activities on behalf of the customer and can share relevant excerpts on request.
10. Duration and governing law
The agreement applies for as long as ProdForm processes personal data on behalf of the customer. Termination of the Terms also terminates this agreement. The agreement is governed by Norwegian law. Disputes are resolved through negotiation; the venue is Oslo District Court.