SURWAY'R
Data Processing Agreement (DPA)
Document ID: SURWAYR-DPA-v1.1
Last updated: 28 March 2026
Hungarian original (HU): Download the authoritative PDF (HU)
This agreement is entered into between Devtronics Kft. (SURWAY’R) as processor (hereinafter: “Processor”) and the User as controller (hereinafter: “Controller”) automatically through use of the Service, without separate signature.
The general DPA terms are deemed accepted upon Service registration and acceptance of the Terms of Service. If your organisation requires a separately signed DPA, you may request it at legal@surwayr.com (linked at least to a Team subscription tier).
In this DPA, the terms “personal data”, “controller”, “processor”, “data subject”, “processing”, and “personal data breach” have the meanings defined in Regulation (EU) 2016/679 (GDPR) and applicable European data protection law.
1. Subject matter, content, and processing context
The User collects and processes personal data through the survey platform. The Processor stores, structures, analyses, and makes such data available to the Controller solely in accordance with the Controller’s instructions.
Main characteristics of the processing: - Duration: For the duration of the contractual relationship between the parties, or until deletion of the Controller’s account - Nature: Collection, storage, organisation, hosting, making data available to the Controller, erasure - Purpose: Survey-based data collection, storage, and analytical tools for the Controller - Categories of data subjects: Persons responding to the Controller’s surveys (respondents), members of the Controller’s organisation - Categories of personal data: Name, email address, telephone number, other identifiers, other data embedded in the Controller’s surveys — including possible special categories of data, for which the Controller bears sole responsibility
2. Processor obligations
The Processor undertakes to:
- Process data only on the basis of the Controller’s documented instructions. “Documented instruction” means: (i) instructions on durable medium (letter, email); (ii) instructions given electronically through the Service software interface; (iii) the provisions of this DPA.
- If the Processor has reasonable grounds to believe that an instruction infringes GDPR or other applicable data protection law, it shall suspend the instruction and notify the Controller without delay. The Controller may confirm the instruction in writing at its sole risk and liability; in that case the Processor shall execute it.
- Ensure confidentiality obligations for all employees and subcontractors with access to the data — on a contractual or statutory basis.
- Use the data only for the purposes set out in this DPA; transfer to third parties only as permitted in this DPA.
- Where Union or Member State law requires processing (including international transfer of personal data) — unless prohibited by law for important public interest reasons — notify the Controller before processing, unless that law prohibits such notification on important grounds of public interest.
3. Sub-processors
By using the Service, the Controller generally consents to the use of the following sub-processors:
| Sub-processor | Activity | Location | Transfer basis |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure, hosting | Germany (EU) | Within EEA, SCC not required |
| Stripe Ireland Limited | Payment processing | Ireland (EU) | Within EEA |
| Resend Inc. | Transactional email | USA | SCC (2021/914/EU Module 2) |
| Google LLC (Gemini API) | AI analysis (optional, Gemini model) | USA | SCC (2021/914/EU Module 2) |
| Groq, Inc. | AI analysis (optional, LLM inference) | USA | SCC (2021/914/EU Module 2) |
If the Processor wishes to engage a new sub-processor or replace an existing one, it will notify the Controller at least 15 calendar days in advance (by email to the registered address or in-Service notice). Within that period, the Controller may raise reasonable objection (valid only if the sub-processor manifestly fails to meet GDPR guarantees). If the Controller objects, the Processor may terminate the service agreement with 30 days’ prior notice.
The Processor concludes written agreements with every sub-processor containing the guarantees required by GDPR. The Processor is liable to the Controller for sub-processors’ conduct as for its own.
4. Data subject rights
The Processor assists the Controller, with appropriate technical and organisational measures given the nature of processing and information available, in fulfilling data subject rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).
If any data subject contacts the Processor to exercise their rights, the Processor forwards the request and all related information to the Controller without delay and no later than 5 business days. The data subject is informed that the Controller is responsible for responding.
5. Technical and organisational security measures
The Processor ensures a level of security appropriate to the risk of processing through measures including:
Network security: - Access and transmission policies, authentication mechanisms, firewall and intrusion detection systems - Procedures for handling security incidents (Incident Response Plan)
Physical security: - Physical infrastructure operates in ISO 27001 certified data centres (Hetzner) or facilities with equivalent physical security; physical access is limited on business need
Personal data security: - Encryption in transit (TLS 1.2 or higher) and at rest (AES-256) - Data minimisation, purpose limitation, and privacy by design - Regular security testing and assessment - Access control and role-based permissions (RBAC) - Two-factor authentication (2FA) for administrative access - Regular security awareness training for relevant staff
Business continuity: - Business continuity and disaster recovery plans tested at least annually - Backups retained for at most 90 days
Confidentiality: - Employees and subcontractors with access to data are bound by confidentiality agreements
Consent audit log (legal consent logging): - The Processor records user consents in a tamper-resistant, append-only system: at database level, a trigger prevents subsequent modification or deletion of records; at log file level, a SHA-256 hash chain supports demonstrable integrity. - This layered system provides verifiable evidence of consent, its circumstances, and accepted document versions.
The Processor periodically reviews and updates security measures as needed and does not reduce their overall level without notifying the Controller.
6. Incident management and notification
The Processor notifies the Controller without delay and no later than 72 hours after becoming aware of a personal data breach affecting data subjects. The notification includes at least: description of the circumstances; approximate number of data subjects and categories; likely consequences; measures taken or proposed by the Processor.
The Processor makes reasonable commercial efforts, in cooperation with the Controller, to investigate, mitigate, and resolve the incident based on available information.
The Controller is solely responsible for regulatory notifications required by applicable law (e.g. to NAIH) and for informing data subjects. The Controller shall indemnify and hold harmless the Processor from any claims, losses, and costs arising from the Controller’s failure or delay in doing so.
7. Deletion or return of data
The Controller decides whether, upon termination of the agreement, the Processor shall delete or return personal data, unless Union or Member State law requires storage.
Deletion of the account by the Controller is deemed a request for erasure under section 7. Backups are deleted within 90 days at the latest after termination.
Exception — consent audit logs: Legal consent audit logs (
legal_consent_eventsdatabase records and thelegal.loghash chain) are retained for 5 years from account termination. Legal basis: the Provider’s legitimate interest (GDPR 6(1)(f)): ability to handle potential disputes within civil limitation periods. These records do not contain survey content or respondent data; they record only the fact of acceptance, timestamp, document versions, IP address, and user-agent data.
Cancellation of a paid subscription (while keeping the account) does not terminate this DPA; the Controller may continue using the Service on the free tier.
8. Audit rights
The Processor makes available documentation necessary to demonstrate compliance with this DPA. The Controller primarily satisfies audit requests by providing copies of relevant audit reports and certifications (e.g. ISO 27001, SOC 2).
If those documents do not reasonably address the Controller’s concerns, the Controller may conduct at most 1 audit per year (unless there are reasonable grounds to suspect material breach of the DPA). Audits must take place during normal business hours; the Controller bears all audit costs unless the audit reveals a material breach of the DPA, in which case the Processor bears actual audit costs.
9. International transfers of personal data
Transfers outside the EEA (in particular to the USA) rely on Standard Contractual Clauses (SCCs) under European Commission Implementing Decision 2021/914/EU, included in the Processor’s agreements with sub-processors.
Modules used: - Module 2 (Controller → Processor): Resend, Google LLC (Gemini), Groq
Copies of the relevant SCCs are available on request (privacy@surwayr.com).
Transfer Impact Assessment (TIA): TIAs for transfers to the USA are documented in our internal legal records. For Google Gemini and Groq APIs, survey content is sent to the AI APIs in minimal form; we do not transfer personal identifiers (name, email address).
10. Enterprise / individually signed DPA
The general DPA terms are deemed accepted through use of the Service. If your organisation requires a separately signed DPA (e.g. internal compliance, procurement rules, health or financial sector requirements), you may request it at legal@surwayr.com.
- The individually signed DPA is based on this document; negotiable items include retention periods, audit rights, and sub-processor notification deadlines.
- Signing an individual DPA requires at least a Team subscription tier.
- The Provider responds within 10 business days of receiving the request.