Data Processing Agreement
Last modified on June 29, 2025
This Data Processing Agreement (“DPA“) forms part of and supplements the Terms of Service between The Good Group Inc. (“The Good“, “we“, “us“, or “our“) and the Client (“you” or “your“) for the provision of Consulting Services. This DPA applies when The Good processes personal data on your behalf as described herein. Terms not defined in this DPA have the meanings set forth in our Terms of Service and Privacy Policy.
1. Definitions
1.1 “Personal Data” means any information relating to an identified or identifiable natural person.
1.2 “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, use, disclosure, or deletion.
1.3 “Data Controller” means the entity that determines the purposes and means of Processing Personal Data.
1.4 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
1.5 “Data Subject” means the individual to whom Personal Data relates.
1.6 “Applicable Data Protection Laws” means all applicable data protection and privacy laws, including GDPR, CCPA, and any other relevant regulations.
2. Scope and Roles
2.1 This DPA applies when The Good Processes Personal Data on your behalf in connection with providing Consulting Services.
2.2 You are the Data Controller and The Good is the Data Processor for Personal Data Processed under this DPA.
2.3 The categories of Personal Data and Data Subjects are specified in Schedule 1 (Data Processing Details).
3. Data Processing Obligations
3.1 The Good shall:
- Process Personal Data only on documented instructions from you
- Ensure persons authorized to Process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational measures to ensure security
- Not engage sub-processors without your prior written consent
- Assist you in responding to Data Subject requests
- Delete or return all Personal Data upon termination of Services
3.2 You shall:
- Ensure you have lawful basis for Processing and sharing Personal Data with us
- Provide clear instructions for Processing
- Ensure accuracy of Personal Data provided
- Comply with all Applicable Data Protection Laws
4. Security Measures
4.1 The Good implements and maintains technical and organizational measures including:
- Encryption of data in transit and at rest
- Access controls and authentication measures
- Incident response procedures
- Physical security controls
4.2 Specific security measures are detailed in Schedule 2 (Technical and Organizational Measures).
5. Sub-processors
5.1 You grant general authorization for The Good to engage sub-processors listed in Schedule 3.
5.2 The Good shall:
- Notify you of any intended changes to sub-processors
- Ensure sub-processors are bound by data protection obligations
- Remain liable for sub-processor compliance
5.3 You may object to new sub-processors within 7 days of notification.
6. International Transfers
6.1 You may request in writing that Personal Data be transferred outside the EEA/UK only with:
- Appropriate safeguards (e.g., Standard Contractual Clauses)
- Your prior written consent
- Other valid transfer mechanisms under Applicable Data Protection Laws
7. Data Subject Rights
7.1 The Good shall assist you in fulfilling obligations to respond to Data Subject requests for:
- Access, rectification, or erasure
- Data portability
- Restriction of Processing
- Objection to Processing
7.2 The Good shall promptly notify you of any Data Subject requests received directly.
8. Data Breach Notification
8.1 The Good shall notify you without undue delay (and within 48 hours) after becoming aware of a Personal Data breach.
8.2 Notification shall include:
- Nature of the breach
- Categories and numbers of Data Subjects affected
- Likely consequences
- Measures taken or proposed
9. Duration and Termination
9.1 This DPA remains in effect for the duration of the Services.
9.2 Upon termination, The Good shall, at your election:
- Delete all Personal Data
- Return all Personal Data in agreed format
- Retain only as required by law
10. Liability and Indemnification
10.1 Each party’s liability under this DPA is subject to the limitations in the Terms of Service.
10.2 Each party shall indemnify the other against losses arising from its breach of this DPA or Applicable Data Protection Laws.
11. California Specific Terms (CCPA)
11.1 The Good certifies that it:
- Shall not sell Personal Data
- Shall not retain, use, or disclose Personal Data except as permitted
- Understands the restrictions under CCPA
Schedule 1: Data Processing Details
Subject Matter: Processing of Personal Data in connection with digital experience optimization and consulting services
Duration: Duration of the Services under the engagement letter
Nature and Purpose: Analysis, optimization, and improvement of digital experiences, user research, and related consulting services
Categories of Data Subjects (only as necessary):
- Client’s customers/users
- Client’s employees
- Website visitors
- Research participants
Categories of Personal Data (only as necessary):
- Contact information (names, emails, phone numbers)
- Usage data and analytics
- Survey responses
- User behavior data
- Technical identifiers (IP addresses, device IDs)
- Professional information
Schedule 2: Technical and Organizational Measures
The Good implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Access Control: Role-based access controls, unique user credentials, and multi-factor authentication where appropriate
- Data Encryption: Industry-standard encryption for data in transit (TLS/SSL) and at rest
- Physical Security: Secure facilities with restricted access
- Incident Management: Documented incident response procedures and breach notification protocols
- Data Minimization: Collection and retention limited to what is necessary for agreed purposes
- Confidentiality: All personnel bound by confidentiality agreements
Schedule 3: Authorized Sub-processors
The following sub-processors are authorized to process Personal Data in connection with the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hotjar Ltd | Digital experience insights platform (heatmaps, session recordings, user feedback) | Malta (HQ); Data processed in Ireland (AWS) |
| Convert Insights Inc. | A/B testing and website optimization services | United States (HQ); EU data processed in Germany |
| Optimizely North America Inc. | Digital Experience Platform (A/B testing, personalization, feature flagging) | United States (HQ); AWS global data centers |
| Wingify Software Private Limited (VWO) | Digital experience optimization (A/B testing, behavioral analytics) | India (HQ); Data processed in US, EU (Belgium), India |
| Microsoft Ireland Operations Limited (Clarity) | User behavior analytics (session recordings, heatmaps) | Ireland (for EU); Microsoft Azure infrastructure |
| UserTesting Inc. | Customer experience insights and usability testing platform | United States (HQ); AWS infrastructure globally |
| Alchemer LLC | Survey software and customer feedback platform | United States (HQ); AWS data centers in US, EU (Germany), Canada |
| Google LLC / Google Ireland Limited (Looker Studio) | Business intelligence and data visualization platform | US (Google LLC) / Ireland (Google Ireland Limited); Global Google data centers |
| Google LLC / Google Ireland Limited (BigQuery) | Enterprise data warehouse and analytics platform | US (Google LLC) / Ireland (Google Ireland Limited); Customer-selectable regions |
Updates to this list will be communicated in accordance with Section 5 of this DPA.