Features

Solutions

Pricing

Resources

Customer Stories

Free HR Tools

Help Center

Support

Log In

Book a Demo

Data Processing Agreement

Last updated 1 April 2026

1. Purpose and Scope

This Data Processing Agreement ("DPA") applies when Hindcast LLC, doing business as FeedbackPulse ("FeedbackPulse", "Processor", "we", "us"), processes personal data on behalf of a customer organisation ("Customer", "Controller") in connection with the FeedbackPulse services.

This DPA forms part of the agreement between the Customer and FeedbackPulse governing the use of the services, including the Terms of Service, order form, subscription agreement, or other written agreement between the parties (the "Agreement").

2. Roles of the Parties

For Customer Data processed under this DPA:

  • the Customer acts as the data controller, except to the extent applicable law states otherwise; and
  • FeedbackPulse acts as the data processor, except where FeedbackPulse processes data as an independent controller for its own business operations, such as billing, fraud prevention, security, legal compliance, support administration, and marketing site analytics.

3. Subject Matter and Duration

The subject matter of the processing is the provision of FeedbackPulse's employee engagement, survey, review, recognition, reporting, and related platform services.

Processing under this DPA continues for as long as FeedbackPulse processes Customer Data on the Customer's behalf under the Agreement.

4. Nature and Purpose of Processing

FeedbackPulse may process Customer Data as necessary to:

  • host and provide the services;
  • authenticate users and manage accounts;
  • enable surveys, peer reviews, performance reviews, recognitions, reporting, and related workflows;
  • provide communications, reminders, and transactional notifications;
  • secure, monitor, maintain, and support the services;
  • enable optional integrations, API access, and customer-authorised workflows;
  • provide AI-powered features where such features are used under the Customer's configuration and user permissions.

5. Categories of Data Subjects and Personal Data

Data subjects may include:

  • Customer personnel;
  • employees, managers, administrators, and contractors of the Customer;
  • survey recipients and respondents;
  • users authorised by the Customer to access the services.

Personal data may include:

  • account and contact details;
  • employee profile and organisational data;
  • survey, review, recognition, and feedback content;
  • usage, access, and audit metadata;
  • authentication, token, and integration metadata;
  • any other personal data the Customer or its users submit to the services.

The Customer controls the categories of Customer Data submitted to the services.

6. Processor Obligations

FeedbackPulse will:

  • process Customer Data only on documented instructions from the Customer, including instructions given through the Customer's use and configuration of the services, unless otherwise required by applicable law;
  • ensure personnel authorised to process Customer Data are subject to appropriate confidentiality obligations;
  • implement appropriate technical and organisational measures designed to protect Customer Data, taking into account the nature of the processing and the information available to FeedbackPulse;
  • notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data, and provide information reasonably available to FeedbackPulse to help the Customer meet its notification obligations;
  • assist the Customer, taking into account the nature of the processing and information available to FeedbackPulse, with reasonable requests related to data subject rights, security, breach response, impact assessments, and prior consultation obligations under applicable law;
  • make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, proportionality, and security safeguards.

7. Customer Obligations

The Customer is responsible for:

  • determining that its use of the services is lawful;
  • providing all required notices to data subjects;
  • establishing a lawful basis for processing Customer Data;
  • configuring and using the services in a way that is appropriate for the Customer's compliance obligations;
  • responding to data subject requests, except to the extent the Customer asks FeedbackPulse for reasonable assistance;
  • ensuring it does not instruct FeedbackPulse to process Customer Data in violation of applicable law.

8. Security Measures

FeedbackPulse maintains technical and organisational measures designed to protect Customer Data, including measures related to:

  • encryption in transit;
  • access controls and role-based restrictions;
  • system logging and monitoring;
  • patching and maintenance practices;
  • backup and recovery processes;
  • incident response and operational safeguards.

Additional information about FeedbackPulse's current security posture is available on our Security page.

9. Sub-Processors

The Customer authorises FeedbackPulse to use sub-processors to provide the services.

FeedbackPulse will:

  • maintain a current list of sub-processors on the Sub-Processors page;
  • remain responsible for its sub-processors' processing of Customer Data to the extent required by applicable law and the Agreement;
  • require sub-processors to protect Customer Data by written terms that are no less protective in material substance than the data protection obligations in this DPA, as applicable to the services performed by the sub-processor.

10. International Transfers

Customer Data may be processed in the United States and other countries outside the EEA, UK, or Switzerland.

Where required by applicable law, FeedbackPulse will implement an appropriate transfer mechanism for such transfers, which may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss addendum or equivalent safeguard, or another recognised transfer safeguard.

FeedbackPulse is not represented by this DPA as currently certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework unless FeedbackPulse is then listed as an active participant on the official Data Privacy Framework List.

If FeedbackPulse later becomes and remains an active participant in the relevant Data Privacy Framework program, FeedbackPulse may rely on that participation for covered transfers to the extent permitted by applicable law and the scope of that certification.

11. Data Privacy Framework Status

If FeedbackPulse publicly self-certifies to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework in the future, FeedbackPulse's then-current public privacy notice and related program disclosures will describe:

  • the relevant certification scope;
  • the independent recourse mechanism made available at no cost to individuals;
  • FeedbackPulse's commitment to cooperate with applicable EU, UK, and Swiss authorities where required by the relevant framework;
  • FeedbackPulse's commitments regarding onward transfers, verification, and binding arbitration under the relevant framework.

12. Data Subject Requests

Taking into account the nature of the processing, FeedbackPulse will provide reasonable assistance to the Customer to help the Customer respond to requests from data subjects to exercise their rights under applicable law.

If FeedbackPulse receives a request directly from a data subject relating to Customer Data, FeedbackPulse may:

  • direct the requester to the Customer; or
  • notify the Customer and await the Customer's instructions,

unless FeedbackPulse is legally required to respond differently.

13. Personal Data Breach Notification

If FeedbackPulse becomes aware of a confirmed personal data breach affecting Customer Data, FeedbackPulse will notify the Customer without undue delay and provide reasonably available information necessary to assist the Customer in meeting its obligations under applicable law.

14. Deletion and Return of Customer Data

Upon termination or expiration of the Agreement, FeedbackPulse will delete or return Customer Data in accordance with the Agreement, the Customer's documented instructions, and FeedbackPulse's retention, backup, security, and legal compliance requirements.

Certain Customer Data may remain in backups, logs, security records, or other retained systems for a limited period where required for security, integrity, fraud prevention, legal compliance, or backup lifecycle management. Such retained data will remain protected under this DPA for as long as it is retained.

15. Audits and Information Rights

FeedbackPulse will make available information reasonably necessary to demonstrate compliance with this DPA.

Where the Customer reasonably requires additional verification, the parties will cooperate in good faith on a proportionate audit or review process that:

  • is limited to information relevant to Customer Data processing under this DPA;
  • avoids unreasonable interference with FeedbackPulse's business operations;
  • protects the confidentiality, security, and privacy of other customers and FeedbackPulse systems;
  • is subject to reasonable notice and no more than once per year, unless required by law or triggered by a confirmed security incident affecting the Customer.

FeedbackPulse may satisfy audit obligations through current third-party certifications, reports, questionnaires, or comparable documentation where appropriate.

16. Conflict

If there is a conflict between this DPA and the Agreement with respect to the processing of Customer Data, this DPA controls to the extent of that conflict.

17. Annex 1 - Processing Details

Subject matter

Provision of the FeedbackPulse services.

Duration

For the term of the Agreement and any limited retention period that follows under the Agreement, documented instructions, backup lifecycle, or legal/security obligations.

Nature and purpose of processing

Hosting, storage, organisation, access, transmission, analysis, support, security, reporting, communications, and deletion or return of Customer Data as required to provide the services.

Categories of data subjects

Customer personnel, employees, managers, administrators, contractors, respondents, and other authorised users.

Categories of personal data

Account data, contact data, organisational profile data, survey and review data, recognition data, usage and audit metadata, authentication metadata, and any other Customer Data submitted to the services.

Sensitive data

The Customer controls whether special categories of personal data or other sensitive data are submitted to the services. FeedbackPulse does not require such data by default, but free-text content submitted by users may contain sensitive information.

18. Contact

For DPA questions or requests, contact [email protected].