Data Processing Agreement.

This Data Processing Agreement ("DPA") forms part of the agreement between Peekator Ltd ("Peekator", "we", "us") and the customer ("Customer", "you") governing the use of Peekator's platform and services. It sets out the terms on which Peekator will process personal data on behalf of the Customer as a data processor under the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (GDPR).

This DPA applies to all personal data that Peekator processes on behalf of the Customer in the course of providing the Services, including survey responses, AI interview transcripts, respondent information and any other personal data submitted to or generated through the platform.

Definitions used in this DPA have the meanings given to them in the UK GDPR unless otherwise defined herein. In the event of any conflict between this DPA and the main service agreement, the terms of this DPA shall prevail with respect to data protection matters.

Customer as Data Controller

The Customer acts as the data controller in respect of personal data processed through the Peekator platform. As the controller, the Customer is responsible for:

• Ensuring it has a lawful basis for processing the personal data and that all processing is fair, lawful and transparent.
• Obtaining all necessary consents, permissions and legal rights from data subjects to collect and process their personal data through the Services.
• Providing appropriate privacy notices to data subjects that accurately describe the processing carried out via Peekator.
• Ensuring the personal data is accurate, relevant and limited to what is necessary for the purposes of the research.
• Complying with data subject requests including access, correction, erasure and objection requests.
• Notifying Peekator of any changes to instructions that may affect compliance with data protection law.

Peekator as Data Processor

Peekator acts as a data processor in respect of personal data processed through the platform. As the processor, Peekator will:

• Process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to third countries.
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
• Not engage another processor (sub-processor) without prior specific or general written authorisation of the Customer.
• Assist the Customer in ensuring compliance with its obligations under data protection law.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits.
• Delete or return all personal data to the Customer after the end of the provision of services, unless required by law to retain it.

The personal data processed by Peekator on behalf of the Customer may include the following categories, depending on the Customer's use of the Services:

• Survey responses — answers, ratings, selections and free-text responses provided by research participants in surveys.
• AI interview transcripts — text transcripts of AI-moderated interviews, including questions, responses and follow-up dialogue.
• Research participant information — names, email addresses, demographic information, contact details and identifiers collected to manage participant recruitment and communications.
• User account information — names, email addresses, organisation details, roles and authentication credentials of Customer personnel who access the platform.
• Uploaded files and attachments — documents, images, audio or video files uploaded by the Customer or respondents as part of research projects.

Where the Customer configures surveys or interviews to collect special category data (as defined under Article 9 of the UK GDPR), the Customer must inform Peekator in advance and ensure appropriate safeguards are in place.

Peekator carries out the following processing activities on behalf of the Customer:

• Survey collection — hosting, rendering and storing survey questionnaires; collecting, validating and storing responses; managing quotas and logic.
• AI interviews — conducting dynamic AI-moderated interviews; capturing, storing and transcribing responses; generating follow-up questions based on discussion outlines.
• Data analysis — applying statistical, thematic and sentiment analysis to research data; generating summaries, reports and visualisations.
• Reporting — compiling research outputs, dashboards, exports and presentations; enabling sharing and collaboration within the Customer's workspace.
• Research workflow management — managing projects, teams, permissions, communications and integrations with third-party tools.

All processing is carried out in accordance with the Customer's documented instructions as reflected in the platform configuration, project settings and any additional written agreements.

Peekator implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft or disclosure. These measures include:

Technical measures

• Encryption of data in transit using TLS 1.2 or higher across all public-facing services and APIs.
• Encryption of data at rest using industry-standard encryption algorithms and key management practices.
• Network segmentation, firewalls and intrusion detection systems.
• Regular vulnerability scanning and penetration testing of the platform and infrastructure.
• Secure development practices including code review, dependency scanning and automated testing.

Organisational measures

• Role-based access control enforcing the principle of least privilege.
• Multi-factor authentication for administrative and privileged access.
• Comprehensive audit logging of access to and actions on personal data.
• Staff security awareness training and confidentiality obligations.
• Incident response procedures and business continuity planning.

Peekator reviews and updates these measures regularly to maintain an appropriate level of security in light of evolving threats and industry best practice.

Peekator may engage third-party sub-processors to assist in the delivery of the Services. All sub-processors are bound by written contracts that impose data protection obligations no less protective than those set out in this DPA.

The Customer provides general authorisation for Peekator to engage the categories of sub-processors listed below. Peekator will notify the Customer of any intended changes to sub-processors and provide the Customer with a reasonable opportunity to object.

Current sub-processor categories include:

• Cloud hosting and infrastructure providers
• Email and notification delivery services
• Payment processing services
• Analytics and monitoring services
• AI and machine learning model providers
• Speech-to-text and transcription services

A current list of specific sub-processors is available on request. Peekator maintains responsibility for the acts and omissions of its sub-processors.

Peekator is based in the United Kingdom and primarily hosts personal data in UK and European Economic Area (EEA) data centres. Where personal data is transferred outside the UK or EEA, Peekator ensures that appropriate safeguards are in place to protect the data.

For transfers from the UK to countries not subject to an adequacy decision, Peekator relies on UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) supplemented by a UK Addendum where required.

For transfers from the EEA, Peekator relies on EU Standard Contractual Clauses or adequacy decisions where available.

Peekator assesses the laws and practices of destination countries and implements any additional safeguards necessary to ensure an essentially equivalent level of protection.

Peekator assists the Customer in responding to data subject requests under the UK GDPR, including requests for access, rectification, erasure, restriction of processing, data portability and objection.

Where a data subject contacts Peekator directly, Peekator will forward the request to the Customer unless legally required to act otherwise. Peekator will provide reasonable technical assistance to enable the Customer to fulfil its obligations, including facilitating data retrieval, correction and deletion where technically feasible.

The Customer remains responsible for verifying the identity of data subjects, assessing the validity of requests, and responding within the statutory timeframes.

Peekator maintains appropriate procedures to detect, assess and respond to personal data breaches. In the event of a personal data breach affecting personal data processed on behalf of the Customer, Peekator will:

• Notify the Customer without undue delay and in any case within 24 hours of becoming aware of the breach.
• Provide the Customer with sufficient information to enable it to meet any obligations to notify the supervisory authority or affected data subjects.
• Co-operate with the Customer in investigating the breach and implementing remedial measures.
• Document the breach, its effects and the remedial action taken.

The Customer is responsible for assessing whether the breach is likely to result in a risk to the rights and freedoms of data subjects and for notifying the relevant supervisory authority and data subjects where required by law.

Personal data is retained only for as long as necessary to provide the Services and as required by the Customer's instructions or applicable law.

Customer-controlled deletion

The Customer may delete projects, surveys, responses, transcripts and other content at any time through the platform. Upon deletion, Peekator will remove the data from active production systems within a reasonable period, typically within 30 days.

Account termination

Upon termination or expiry of the agreement, Peekator will, at the Customer's election, delete or return all personal data, except where retention is required by applicable law. A certificate of destruction may be provided on request.

Backups

Deleted data may persist in encrypted backups for up to 30 days following deletion. After this period, backups are automatically purged in accordance with Peekator's backup retention policy.

The Customer has the right to audit Peekator's compliance with this DPA, subject to reasonable notice and no more than once per calendar year (or more frequently where required by a supervisory authority or following a data breach).

Audit requests must be submitted in writing at least 30 days in advance, specifying the scope, timing and format of the audit. Peekator may propose a mutually agreed third-party auditor to conduct the audit on the Customer's behalf.

Peekator will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including copies of relevant policies, certifications, penetration test reports (where confidentiality agreements permit) and sub-processor agreements.

The Customer shall bear its own costs of the audit, except where the audit reveals a material breach of this DPA by Peekator, in which case Peekator shall bear the reasonable costs of the audit.