CONTRACT 6158 Vender AgreementAgreement No. 6158
h oft
I J r I Qualtrics at Cara s ,
quaitrics. 1 i4.l� ��1..a1,d�..�1 l �� W_� S I <� )d�.) � R,1 Sr 01'i � �u,�:a ITA 20190
PV 1(.:11 J- (i 03) 8,71 8500 j P AX 87 1 �i5(I 5 � .I Ill I Rl F (88) CaY M:wW carahsoft
WTV"W C/\R 4H SO, I'i::ek',W)UAI g U� l ((i7,�. �1 � U y ,P �Y I C(:; �vl
TO: Charles Mallory FROM! Michelle Gomez -Colon
City of El Segundo Qualtrics at Carahsoft
350 Main St 11493 Sunset Hills Road
El Segundo, CA 90245 USA Reston, Virginia 20190
EMAIL: cmallory@elsegundo.org
EMAIL: Michelle.Gomez-Colon@carahsoft.com
PHONE:
PHONE: (571) 662-3354
FAX: (703) 871-8505
TERMS: Contract Number: 7-17-70-40-05
QUOTE NO:
30253955
NASPO Master Contract Number: AR2472
QUOTE DATE:
07/09/2021
Contract Term: 09/15/17 - 09/15126
QUOTE EXPIRES
09/03/2021
Shipping Point: FOB Destination
RFQ NO:
Credit Cards: VISA/MasterCard/AMEX
SHIPPING:
ESD
Remit To: Same as Above
Payment Terms: Net 45 (On Approved Credit)
TOTAL PRICE:
$29,101.33
Sales Tax May Apply
TOTAL QUOTE:
$29,101.33
.INE NO. PART NO. DESCRIPTION
1 AR2472-QUAD03-
Customer Experience 5 Response Tier-25000
1953
Foundation - Responses : up to 15000
Qualtrics, LLC - CX5-25000
Start Date: 09/06/2021
End Date: 09/05/2022
2 AR2472-QUA003-
Customer Experience 5-Implementation
1156
Qualtrics, LLC - CX5-Imp
Start Date: 09/06/2021
End Date: 09/05/2022
SUBTOTAL:
QUOTE PRICE QTY EXTENDED PRICE
$20,789.47 COOP 1 $20,789.47
$8,311.86 COOP 1 $8,311.86
$29,101.33
TOTAL PRICE: $29,101.33
TOTAL QUOTE: $29,101.33
Agreement No. 6158
��NF|�ENT|�L OU�TEDATE� 07/09/2021
PA�E1of2 QU�TE�Q� CONFIDENTIAL
30253955
%JI k11M' II' M 1 � If � t; 9 III Ili. III"" II II11 'o V %lilt L� l U L 0 11 LX II' Ili
qualtricsm Qf),,,alf CaraIl Gaft
ME NO. PART O DESCRIPTION
Waltrics Terms of Service: https://www.qualtrics.com/terms-of-service/
Agreement No. 6158
carahsoft
'ERMS & CONDITIONS
'rites shown do not include sales tax, GST, HST, VAT or other taxes that may apply. Applicable taxes will be presented on the invoice.
Inless inserted as part of an order form, this quote does not constitute a contract and is based on current information about the project
equirements. Timelines for associated projects may be provided in a separate
Irder form. Unless inserted as part of an order form, actual costs may change once project requirements and timelines are finalized.
ioftware total above does not include any additional services fees that may be applicable.
�* Please reference Carahsoft Quote Number 30253955 on a resulting purchase order.
By providing a PO, customer is hereby agreeing to the terms and conditions outlined within the order form below.
ncludes:
:oundation - User : Includes up to 15
iMS Text Reserve: up to 50000
:oundation - Responses : up to 15000
Y
�'�"0°R9I llDEN A ��,4,,(1:iIiI11:Cw! 0A11E 07/09/2021
d;;hll!!!I1wM:u 'N �'�ti.uu`::egl '�,I:"� CONFIDENTIAL
30253955
Agreement No. 6158
qualtrics.lm Order Form
........ ........
Parties: Qualtrics, LLC Carahsoft
333 W. River Park Dr, 11493 Sunset Hills Rd
Provo, UT 84604 Reston, VA 20190
United States United States
("Qualtrics") ("Partner")
...............
Effective Date: The date signed by the last party to sign.
End Customer City of El Segundo
350 Main St
El Segundo, CA 90245
United States
("Customer")
Governing This Order Form is subject to the Qu altrics Terms of Service at
Document: (the "Agreement'). All capitalized
terms used but not defined herein have the meanings given to them in the Agreement. If
there is a conflict between the terms of the Agreement and this Order Form, this Order
Form will control.
Attachments: - Service Level Exhibit
- Fees Exhibit
- Cloud Service Exhibit
- Professional Services Exhibit(s)
Services', As set forth in the exhibits attached hereto
Term: As set forth in the exhibits attached hereto
Payment As set forth in the exhibits attached hereto
Terms:
.....................
Additional
Terms:
To be completed by Customer
.... ._._ .........
R..
egional Data Purchase Order
Center: Number (if any):
__... ...... ...._. .__.... ...
Email Address Shipping
for Invoice Address:
Submission:
Invoicing Billing Address Attn:
Instructions (if for Invoice
applicable): Submission:
QUALTRICS CONFIDENTIAL
Agreement No. 6158
qualtrics Order Form
Qualtrics Primary Contact: Customer Primary Contact:
Name: Olivia Gonzales Name: Portland Bates
Phone: Phone:3105242343
...............
Email: oliviag@qualtrics.com Email: pbates@elsegundo.org
QUALTRICS CONFIDENTIAL
Agreement No. 6158
qualtrics.xmOrder Form
Service Level Exhibit
Service Levels
1. Availability. Qualtrics will use commercially reasonable efforts to ensure that the Cloud Service will be
available at all times, excluding when the Cloud Service is unavailable due to (a) required system maintenance
as determined by Qualtrics ("Scheduled Maintenance"); and (b) causes outside of the reasonable control of
Qualtrics that could not have been avoided by its exercise of due care, including any outages caused by: (i) the
Internet in general; (ii) a Customer -caused event; or (iii) any Force Majeure Event ("Availability").
2. Scheduled Maintenance. A minimum of five days' advance notice will be provided by email to Customer for all
Scheduled Maintenance exceeding two hours. For Scheduled Maintenance lasting less than two hours, notice
will be displayed on the login page.
3. Downtime. "Downtime" is defined as the Cloud Service having no Availability, expressed in minutes.
4. Remedies for Downtime. If Downtime exceeds a certain amount per month, Customer will be entitled, upon
written request, to a credit ("Fee Credit") based on the formula: Fee Credit = Fee Credit Percentage set forth
below'` (1/12 current annual Fees paid for Software affected by Downtime). All times listed immediately
below are per calendar month.
1. If Downtime is 30 minutes or less, no Fee Credit Percentage is awarded.
2. If Downtime is from 31 to 120 minutes, Customer is eligible for a Fee Credit Percentage of 5%.
3. If Downtime is from 121 to 240 minutes, Customer is eligible for a Fee Credit Percentage of 7.5%.
4. If Downtime is 241 minutes or greater, Customer is eligible for a Fee Credit Percentage of 10.0%
Agreement No. 6158
qualtrics,,'m
Order Form
Fees Exhibit
License Details
Start Date End Date Term in Months
06-Sep-2021
Cloud Service Details
Period
05-Sep-2022
Services Price
06-Sep-2021 TO 05-Sep- Cloud $20,789.47
2022 Professional $8,311.86
USD
Total $29,101.33
12
Estimated Payment License
Invoice Date Terms from Configuration
Invoice
Effective Date Net 30 Q-1503726
Prices shown do not include applicable taxes. Applicable taxes will be presented on the invoice.
Press Release
Notwithstanding anything to the contrary in the Agreement, upon mutual execution of this Order Form Customer grants Qualtrics the right
to issue a press release naming Customer as a customer of Qualtrics and identifying the product purchased.
Agreement No. 6158
qualtrics.1111
Order Form
Cloud Service Exhibit
Cloud Service Renewal (not applicable to pilots or proofs of concept). Qualtrics sends renewal notices to
customers at least 60 days before the end of the term. Upon expiration of each term, the Cloud Service will
automatically renew for a successive one-year term with a price increase of no more than 5% at such renewal,
unless either parry provides notice of nonrenewal at least 30 days prior to the end of the term.
[Description of Services on following page]
Agreement No. 6158
qualtrlcs.'"
Order Form
CLOUD SERVICE
CX Use -Case
Foundation - User: Includes up to 15
SMS Text Reserve: up to 50000
Foundation - Responses : up to 15000
YEAR 1
Q-1503726
Agreement No. 6158
qualtrics,�m
Order Form
Professional Services Exhibit: SSO Configuration
Customer agrees that Carahsoft may use subcontractors to deliver any portion(s) of the Project at
Qualtrics' discretion.
1. Definitions
a. "Delivery Team" refers to the SET of resources assigned for fulfillment of project scope. "Project"
refers to the SSO Configuration to be provided under this Professional Services Exhibit.
b. "Standard Business Hours" are 0900 to 1700 hours according to the time zone of the office in which
Delivery Team is located, unless otherwise agreed to in writing during the Project.
2. Project Scope
a. Inclusions
i. SSO (Single Sign -On) Configuration
b. Assumptions
i. For the duration of the Project, Customer will provide the Delivery Team with access
to Customer's Qualtrics brand (account) as a brand administrator.
3. Responsibilities
a. Delivery Team Responsibilities
i. Provide documentation, specifications, and requirements for SSO set-up.
ii. Conduct Q&A session with Customer and Customer IT/SSO team to identify any potential
roadblocks, including a non-standard SSO system.
iii. Configure a test brand to validate SSO setup.
iv. Provide configuration details for the test brand and a login URL for setup validation.
v. Provide support in troubleshooting any errors that arise in the test instance.
vi. Test the SSO setup within a test brand before transferring to the live brand.
vii. After successful testing of the configuration, provide configuration details to the
Customer for the live brand, then transfer the configuration to the live brand.
b. Customer Responsibilities
i. Provide key configuration details of SSO system as requested by Qualtrics, dependent on
the type of SSO connection.
ii. If customer SSO can support it, ensure SSO is set up to pass any user attributes required
for dashboard permissioning.
iii. Ensure that a user in the Customer's IdP can successfully login to the Qualtrics platform
using their SSO credentials.
iv. Manages User Acceptance Testing ("UAT") process and any special testing requirements.
4. Governance
a. Delivery Team will reach out to Customer after completion of request survey within the timeline
specified in request survey to schedule a Project kickoff call or coordinate via email. Timing of
kickoff call will be mutually agreed between Delivery Team and Customer based on Delivery Team
availability and Customer's milestones.
b. The Project is complete based on completion of delivery and Customer's acceptance, per the terms
of the Acceptance Criteria section.
Agreement No. 6158
q,ua,ltrics?"
Order Form
c. Unless otherwise agreed by both parties in writing, all interactions and meetings will be conducted
in English, and will be conducted remotely, via phone, email, or videoconference.
5. Acceptance Criteria
a. Once SSO Configuration is completed and the Delivery Team provides notification for review
and approval, the Customer will either (1) confirm the requirements have reasonably been
met and sign off on the approval or (2) reply to the Delivery Team, in writing, detailing the
specific requirements that must still be met. Upon mutual agreement, both parties may agree
to extend the time period for UAT, though additional time may impact Project timelines and
budget and be subject to a Change Order (as defined below).
b. SSO Configuration will be reviewed and signed off according to the following process:
i. Delivery Team will provide configuration details to the Customer for the live brand
and transfer the configuration to the live brand at least 5 business days prior to the
Deliverable completion date.
ii. Customer will sign off or report any issues within 5 business days of submission.
iii. The Delivery Team will correct reported issues within a mutually agreed time frame.
iv. Customer will provide written feedback and raise issues related to the reworked
portion within a mutually agreed time frame, and the Delivery Team will make
changes necessary to resolve the issues.
v. Customer will provide final review and signoff within 2 business days.
vi. SSO Configuration will be considered accepted if the Customer does not provide
written notification of SSO Configuration rejection within the timelines specified
above.
6. Third Party Vendors and Products
a. Customer remains responsible for their own vendors and third parties providing services
related hereto.
b. Qualtrics is not responsible for third party products obtained by Customer.
7. Change Orders
a. If Customer or Delivery Team wishes to change the scope of the Project, they will submit
details of the requested change to the other in writing. Delivery Team will, within a reasonable
time after such request is received, provide a written estimate to Customer of changes to
Project cost, timeline, and/or scope.
b. Promptly after receipt of the written estimate, Customer and Delivery Team will negotiate and
agree in writing on the terms of such change (a "Change Order"). Each Change Order
complying with this Section will be considered an amendment to this Service Order.
Agreement No. 6158
qualtrics
Professional Services Exhibit
Customer agrees that Carahsoft may use subcontractors to deliver any portion(s) of the Project at Qualtrics' discretion.
Qualtrics currently intends to use Ugam Solutions - NORTH AMERICA. Qualtrics will provide notice to Customer if the
delivery subcontractor changes.
1. Definitions
a. "Deliverables" refers to those implementation deliverables included in the Project Scope in Section 2.
b. "Delivery Team" refers to the set of resources assigned for fulfillment of project scope. "Project" refers to
the project that is the accumulation of Deliverables to be provided under this Professional Services Exhibit.
c. "Standard Business Hours" are 0900 to 1700 hours according to the time zone of the office in which Delivery
Team is located, unless otherwise agreed to in writing during the Project.
2. Project Scope
a. Inclusions
i. Deliverable descriptions are outlined in Schedule 1. Please note that only the Deliverables
listed immediately below are included in this Project. Each line item represents a Deliverable
and quantity.
Foundational Standard Implementation
API Introductory Support (1)
Theme Configuration - one theme (1)
Text iQ Configuration (1)
Closed Loop Follow -Up Configuration (1)
CRM Integration Support (1)
Dashboard Configuration - one dashboard (1)
Org Hierarchy and User Setup - per 1000 users (1)
Survey Review -one survey (1)
XM Directory Support (1)
b. Assumptions
i. For the duration of the Project, Customer will provide the Delivery Team with access to
Customer's Qualtrics brand (account) as a brand administrator.
3. Responsibilities
a. Delivery Team Responsibilities
i. Engages with Customer throughout the Project, keeping Customer informed of timelines and
progress toward completion throughout the Project.
ii. Completes all items listed under Delivery Team Responsibilities in Schedule 1 for each Deliverable.
iii. Shares training resources as appropriate for each Deliverable, which may be in the form of live
online training, online materials, and/or free online webinars.
Agreement No. 6158
iv. Offers guidance and support required to ensure Customer can fulfill responsibilities listed in
Schedule 1 for each Deliverable.
v. For projects that involve a new license setup, provides initial configuration of license and Qualtrics
account, including creation of up to 3 brand administrator users.
vi. The purpose of the Project is to train Customer to be able to manage the program when the Project
is complete. As such, the Delivery Team does not perform full setup and configuration of Qualtrics
as a full -service implementation. Please see Schedule 1 for a list of Delivery Team and Customer
responsibilities.
Customer Responsibilities
i. Engages actively throughout the Project, following a cadence decided with Delivery Team during
kickoff call; changes or cancellations of any meetings require 24 hours' notice in order to avoid
forfeiture of allotted time.
ii. Manages User Acceptance Testing ("UAT") process and any special testing requirements, ensuring
that each stage of the Project is complete and the scope of work has been met. This may include:
1. Uploading sample data to the Qualtrics platform to test system functionality and license
settings.
2. Validating that scoped features and settings were implemented correctly and meet the
requirements of the Project.
3. Engaging other stakeholders within Customer's organization as needed to test technical
or functional aspects of the Qualtrics platform.
iii. As needed, provides resources to fill all required roles for successful implementation, which may
include project sponsorship, signatory, stakeholder management, project coordination, customer
experience lead, technical lead, operational support.
iv. Completes all steps listed under Customer Responsibilities in Schedule 1 for each applicable
Deliverable.
v. Maintains all features included in the license after the implementation period, including any
updates to Deliverables created during the Project, as well as the creation of any new Deliverables,
including surveys and dashboards.
vi. For projects that involve a new license setup, provides required information for setup of brand
administrator accounts; brand administrator users may create additional user accounts and
manage access to the license, in accordance with any limitations specified in the license terms.
4. Governance
a. Delivery Team will coordinate with Customer to schedule a Project kickoff call, at which time the Project
begins. Timing of kickoff call will be mutually agreed between Delivery Team and Customer based on
Delivery Team availability and Customer's milestones.
b. The Project is complete based on completion of delivery and Customer's acceptance, per the terms of the
Acceptance Criteria section.
c. Unless otherwise agreed by both parties in writing, all interactions and meetings will be conducted in
English, and will be conducted remotely, via phone, email, or videoconference.
5. Acceptance Criteria
a. Once a Project phase is completed and the Delivery Team provides notification of the Deliverables for
review and approval, the Customer will either (1) confirm the requirements have reasonably been met
and sign off on the approval for the next implementation phase to begin or (2) reply to the Delivery
Team, in writing, detailing the specific requirements that must still be met. Upon mutual agreement,
both parties may agree to extend the time period for UAT, though additional time may impact Project
timelines and budget and be subject to a Change Order (as defined below).
Agreement No. 6158
b. Ensures that all Deliverables are reviewed and signed off according to the following process:
i. Delivery Team will submit final drafts for review and sign -off at least 5 business days prior to
the Deliverable completion date.
ii. Customer will sign off or report any issues within 5 business days of draft submission.
iii. The Delivery Team will correct reported issues within a mutually agreed time frame.
iv. Customer will provide written feedback and raise issues related to the reworked portion of
the Deliverable within a mutually agreed time frame, and the Delivery Team will make changes
necessary to resolve the issues.
v. Customer will provide final review and signoff on the reworked Deliverables within 2 business
days.
vi. Deliverables will be considered accepted if the Customer does not provide written notification
of Deliverable rejection within the timelines specified above.
6. Third Party Vendors and Products
a. Customer remains responsible for their own vendors and third parties providing services related
hereto.
b. Qualtrics is not responsible for third party products obtained by Customer.
7. Change Orders
a. If Customer or Delivery Team wishes to change the scope of the Project, they will submit details of the
requested change to the other in writing. Delivery Team will, within a reasonable time after such
request is received, provide a written estimate to Customer of changes to Project cost, timeline, and/or
scope.
b. Promptly after receipt of the written estimate, Customer and Delivery Team will negotiate and agree
in writing on the terms of such change (a "Change Order"). Each Change Order complying with this
Section will be considered an amendment to this Service Order.
Agreement No. 6158
Schedule 1: Descriptions of Implementation Deliverables Glossary
This outlines all Deliverables that may be included in a Qualtrics Implementation, along with associated Delivery Team and
Customer responsibilities. Deliverables listed below may not be included in the specific Project referenced in the above
Service Order. For a list of specific Deliverables included In this Pro act refer to Section 2: Project Scope above.
Unless otherwise noted, all Deliverables will be configured using standard features available in the Qualtrics platform; custom
features can be scoped and purchased separately through Qualtrics Engineering Services. For all Deliverables, Customer is
responsible for any setup or configuration beyond what the Delivery Team provides as part of the Project, including additional
surveys or dashboards, and any required translations for surveys, dashboards, reports, Website Feedback creatives, or any
other features of the Qualtrics platform. Customer will maintain all aspects of the Deliverables after completion of the
Project.
Deliverable + Description
Associated Responsibilities
Action Planning Configuration
Delivery Team Responsibilities
The Action Planning module enables
Configure one (1) Action Planning dashboard page, including one (1)
creation and management of action plans
Action Planning widget
based on specific types of customer
Configure one (1) dashboard with up to ten (10) widgets to enable
feedback. These action plans make it easier
reporting of Action Planning data. The widget(s) will be based on the
to address customer feedback and tackle
Action Planning data set only.
the root causes of customer complaints.
Customer Responsibilities
Identify and configure specific fields within the Action Planning module.
Additional Technology Consult
Delivery Team Responsibilities
(12 Hour Block)
Provide a Technology Consultant during the Project duration defined in
If the Customer requires additional ad -hoc
Section 4 "Governance" of this Statement of Work to perform twelve (12)
support for a Qualtrics Technology
hours of additional tasks as directed by the Customer and as outlined as
Consultant, then the Customer may
Deliverables in this Statement of Work.
purchase this support in blocks of 12 hours.
Customer Responsibilities
Customer must use this additional support during the Project duration as
defined in Section 4 "Governance" of this Statement of Work.
API Introductory Support
Delivery Team Responsibilities
The Qualtrics REST API allows querying of
Provide Customer with available API documentation and provide guidance
the Qualtrics platform using common URL
on API access.
syntax.
Provide up to two (2) one -hour sessions including an overview of Qualtrics
system modules and common use cases in API usage.
Provide up to two (2) hours of API consulting, available during the
implementation period, which can be used for support via conference calls
or email.
Customer Responsibilities
Ensure at least one (max of 10) developer familiar with the use of REST to
access API endpoints is engaged in implementation Project.
Configure requests using DELETE, PUT, GET or POST requests.
Agreement No. 6158
Own setup, maintenance, and troubleshooting of any integrations built
using the Qualtrics REST API.
API Advanced Support
Delivery Team Responsibilities
The Qualtrics REST API allows querying of
Provide up to five (5) one -hour sessions including an overview of executing
the Qualtrics platform using common URL
web service calls from the qualtrics platform using a web service task, and
syntax.
capabilities included in the website feedback in-app software
Advanced support includes more consulting
development kit (SDK).
time than introductory support.
Provide up to five (5) hours of API consulting, available during the
Musl ,be purchased with API intro ucto
implementation period, which can be used for support via conference calls
or email.
support
Customer Responsibilities
Assign one or more developer (but no more than ten) with experience
programming using RESTful API endpoints to Project tasks.
Configure requests using DELETE, PUT, GET or POST requests.
Own setup, maintenance, and troubleshooting of any integrations built
using the Qualtrics REST API.
13213 Command Center Support
Delivery Team Responsibilities
Qualtrics Business to Business ("B2B')
Configure 13213 Command Center template for Customer Dashboard.
Command Center gives Customers a
Connect the Command Center widget to applicable survey and Salesforce
dashboard view into actionable key account
data sources as delivered within the "CRM Integration Support" and
management value drivers.
"Dashboard Configuration" Service Deliverables.
Configure necessary one time user hierarchy as delivered within the "Org
Hierarchy and User Setup" Service Deliverable.
Customer Responsibilities
All Customer responsibilities as defined in the "CRM Integration Support",
"Dashboard Configuration", , and "Org Hierarchy and User Setup" Service
Deliverables.
Chat & Comms Integration Support
Delivery Team Responsibilities
Slack integration allows you to automate
Advise on best practices for setting up a Slack survey in one of two ways,
notifications based on survey feedback, or
to be decided by Customer:
share a single -question survey within a
Notify a channel when a survey has been answered based on predefined
public Slack channel.
conditions.
Send a one -question survey to a public Slack Channel.
Customer Responsibilities
Download Qualtrics app and allow access to the Slack account.
Configure a survey within the Qualtrics platform for integration with Slack.
Determine which Slack survey setup is most appropriate, choosing from
the two options provided above.
Based on the survey setup chosen, either define the conditions for
triggering slack notifications and provide message text for the integration,
or add the custom survey to the desired Slack channel.
Agreement No. 6158
Closed Loop Follow -Up Configuration Delivery Team Responsibilities
Ticketing is a way to assign ownership of a Configure logic and field sets for up to five (5) Tickets tasks.
task to an individual or role to enable quick Create one (1) dashboard to enable reporting of ticketing -related metrics
action based on customer survey that can be gathered using standard ticketing functionality.
responses.
Tickets can be managed within the Customer Responsibilities
Qualtrics platform through the follow-up Define and configure logic behind ticket task creation and routing.
page, and dashboards can be used to track If dynamic ticket assignment is desired, ensure the username of assignees
relevant metrics. are included as an Embedded Data field in each survey response. (Manual
ticket assignment may be used as an alternative).
Command Center for Customer Care
Delivery Team Responsibilities
Command Center involves the integration
Configure one (1) Customer Survey & one (1) Agent Survey in the Qualtrics
of Salesforce & the Qualtrics platform to
platform, as delivered within the "Survey Configuration" Service
provide feedback from both the customer
Deliverable.
and agent to realize insights on individual
Guide and provide up to eight (8) hours of support to set up the
customer interactions and broader
Customer's Salesforce environment for use with the Qualtrics
organizational improvements.
Components.
Guide the Customer in importing case data from up to one (1) Salesforce
Report or one (1) formatted CSV.
Configure up to three (3) Custom Metric(s), including one (1) Agent
Performance Score metric in the Qualtrics dashboard described in the
"Dashboard Configuration" Service Deliverable.
Customer Responsibilities
Design the Customer Survey & Agent Survey.
Setup Salesforce environment for use with the Qualtrics Components.
Provide direction and feedback on Command Center dashboard.
Perform User Acceptance Testing (UAT) of survey(s), Salesforce
integration, and dashboard.
Note: Qualtrics will not access Customer Salesforce environment as part of
this project. The Customer must own and have full access to a Salesforce
account.
CRM Integration Support Delivery Team Responsibilities
The Customer Relationship Management Support for integration for one (1) CRM system.
("CRM') integration enables data sharing Ensure permissions are enabled for CRM integration.
and workflow integration between Provide demonstration on the use of the CRM integration capability, which
Customer's CRM and Qualtrics. Details may include the following based on the CRM being integrated with:
around CRM-specific capabilities are
available on Qualtrics' website support - Using workflow rules in CRM to trigger Qualtrics surveys.
pages. - Mapping survey responses into a CRM object, for access and reporting
within CRM.
Customer Responsibilities
Ensure at least one (max of 10) CRM administrator(s) responsible for
Customer's CRM environment is engaged in implementation Project.
Agreement No. 6158
Ensure full access to a CRM account.
Program surveys within Qualtrics platform to be used with CRM
integration.
Set up and implement all relevant CRM workflow rules required as part of
this integration.
Ensure availability of all required custom objects within CRM (e.g., survey
record).
As applicable, verify that Qualtrics survey data appears successfully within
the CRM environment.
Note: Qualtrics will not access Customer CRM environment as part of this
Project. The Customer must own and have full access to a CRM account.
Customer Service Integration Support
Delivery Team Responsibilities
The Customer Service Integration feature
Support for integration for one (1) Customer Service system.
enables the creation or updating of tickets
Ensure permissions are enabled for incident management system
within Customer's incident management
integration.
application. Details around incident
Provide demonstration on the use of the incident management integration
management -specific capabilities are
capability, which may include the following based on the incident
available on Qualtrics' website support
management system being integrated with:
pages.
-Using criteria within a Qualtrics survey to create or update a ticket
within the incident management system.
- Reviewing available incident management ticket fields (e.g., Assignee ID,
Priority, Status) that can be set as part of the Customer Service Integration
feature.
Customer Responsibilities
Ensure at least one (max of 10) incident management system
administrator responsible for Customer's incident management system
environment is engaged in the implementation Project.
Ensure full access to an incident management system account.
Program surveys within Qualtrics platform to be used with incident
management system integration.
Set up and implement all relevant incident management system workflow
rules required as part of this integration.
Ensure availability of all required custom objects within the incident
management system (e.g., survey record).
As applicable, verify that Qualtrics survey data appears successfully within
the incident management system environment.
Note: Qualtrics will not access Customer incident management system
environment as part of this Project. The Customer must own and have full
access to an incident management system account.
Dashboard Configuration I Delivery Team Responsibilities
Dashboards can be used to share the results I Conduct a scoping and design call with Customer upon commencement of
of ongoing research programs by mapping J license to agree upon dashboard content and layout.
Agreement No. 6158
one or more data sources into dynamic
Configure one (1) dashboard with up to three (3) pages, including up to
visualizations called widgets.
twenty (20) widgets per page, after the surveys have been programmed by
Widgets dynamically present data in
Customer.
graphs, pictures, and tables. Dashboard
Optimization of up to one (1) dashboard page for presentation on
pages can be used to group widgets in
Qualtrics Mobile Application.
impactful ways.
Connect the dashboard to one or all of the surveys purchased as part of
Both pages and widgets can be filtered,
this Project.
edited, and shared with restrictions based
Map up to twenty (20) survey questions and up to thirty (30) embedded
on audience needs and security levels.
data fields per survey to the dashboard.
Configure up to three (3) user roles; grant role -based access to the
1 dashboard, including access to specific pages and responses, as defined by
Customer.
Customer Responsibilities
Design and program all survey(s) that are to be mapped to dashboards.
Determine key metrics to be used in the dashboard.
Define and share with Delivery Team specific role -based access
requirements for dashboard, specific pages, and responses.
Create needed user accounts, either manually or via batch upload, and
ensure that any users who require data restrictions or role -based access
have appropriate attributes saved in the Qualtrics platform.
Data Isolation Setup
Delivery Team Responsibilities
All Qualtrics data and brands are protected
Configure Customer's Qualtrics license to support this security feature.
with the utmost care. However, for those
Validate that advanced security features have been successfully
who wish to have more control over
implemented.
security settings, Data Isolation allows
Brand Administrators a wide range of
Customer Responsibilities
customization options, including user login
tracking, additional password
Performs responsibilities necessary for the Project and as outlined in this
requirements, lockout settings based on
Statement of Work.
failed login attempts, and much more.
Digital Insights Integration Support
Delivery Team Responsibilities
Adobe Analytics integration allows survey
Provide support to ensure Customer can fulfill responsibilities outlined
responses to be passed back to Adobe
below.
Analytics. If using the Qualtrics Website
Feedback functionality, Adobe Analytics
Customer Responsibilities
variables from the website may be passed
Identify Adobe Analytics variables to use in intercept logic, as well as
to Qualtrics as embedded data within a
website and Adobe Analytics variables to pass to a survey response.
survey.
Create embedded data fields in the Qualtrics platform using Website
Feedback to populate within Adobe Analytics.
Configure the integration to enable sending survey responses to Adobe
Analytics.
Note: Any questions about Adobe reports will be handled through Adobe
Support.
Agreement No. 6158
Frontline Feedback Support
Delivery Team Responsibilities
Frontline Feedback is used to collect,
Conduct one (1) custom training for the feedback moderator, and up to
organize, and prioritize suggestions from
one (1) end user stakeholder session for the Frontline Feedback feature.
users in your Qualtrics license. Each i
Configure one (1) Frontline Feedback Project, including sharing
feedback request contains a set of
permissions, notifications, custom statuses and one (1) dashboard page to
attributes with important information
view the collected feedback.
about the request. Users may interact with
the feedback request by commenting,
Customer Responsibilities
voting, and categorizing feedback requests.
You can prioritize requests through sorting,
Performs responsibilities necessary for the Project and as outlined in this
filtering, and searching capabilities as well
Statement of Work.
as view feedback in aggregate through the
use of dashboards.
Mobile Dashboard Configuration
Delivery Team Responsibilities
Mobile Dashboards can be used to share
Conduct a scoping and design call with Customer upon commencement of
the results of ongoing research programs to
license to agree upon dashboard content and layout.
individuals on the go.
Configure or optimize one (1) dashboard for mobile with up to two (2)
Mobile optimized widgets dynamically
pages after the surveys have been programmed by Customer.
present data via graphs and pictures. Users
Connect the dashboard to one or all of the surveys purchased as part of
can view, share, and comment on open
this Project.
ended feedback real time. Mobile alerts and
Map up to ten (10) survey questions and up to ten (10) embedded data
push notification can be used to inform
fields per mobile exclusive dashboard.
users of urgent feedback.
Configure up to two (2) user roles; grant role -based access to the
can be used to
Mobile dashboard pages can be
dashboard, including access to specific pages and responses, as defined by
group widgets to create furole
Customer.
based views.
Provide up to two (2) hours of consulting on how to download, install, and
Both pages and widgets can be filtered,
navigate the XM App.
edited, and shared with restrictions based
on audience needs and security levels.
Customer Responsibilities
Design and program all survey(s) that are to be mapped to dashboards.
Determine key metrics to be used in the dashboard.
Define and share with Delivery Team specific role -based access
requirements for dashboard, specific pages, and responses.
Create needed user accounts, either manually or via batch upload, and
ensure that any users who require data restrictions or role -based access
have appropriate attributes saved in the Qualtrics platform.
Download and install XM Mobile App on their devices.
Marketing Integration Support
Delivery Team Responsibilities
Marketing integration allows you to
Provide support to ensure the Customer can fulfill responsibilities outlined
generate links in Qualtrics and assign them
below.
to leads from a static list through the
Qualtrics Marketo Extension. Each
Customer Responsibilities
generated link is immediately stored in a
Create the API -only user, create a new service, and enter Marketo IDs into
Marketo Lead Field, and a token may be
Qualtrics.
inserted into a Marketo email campaign to
Generate links and distribute them to contact lists as appropriate.
Agreement No. 6158
assign personalized survey links to each
unique lead.
Native Application Feedback Support
Delivery Team Responsibilities
Website /App Feedback projects are a
Support the Customer in configuration of application intercept
great way to reach out to your website
(1) purchased as part of this Project.
visitors. You can create professional and
Advise the Customer in obtaining code from the Qualtrics platform for use
beautiful graphics that appear in special
in application feedback intercepts.
conditions to advertise something or to
Review configured application intercepts to verify best practices are
request feedback. You can also customize
followed and intercepts are ready for production.
when you want to approach visitors.
Customer Responsibilities
Configure the application intercepts to be used for sourcing survey
participants.
Build Website Feedback surveys using the Qualtrics Platform.
Deploy and maintain Website Feedback code on applicable Customer -
owned domains.
Qualtrics Offline Application Support
Delivery Team Responsibilities
Qualtrics Offline Application is available for
Provide Best Practices and subject matter expertise support to the
iOS and Android and allows surveys to be
customer for Qualtrics Offline Application installation and configuration,
run on a mobile device without an internet
connection. Responses can be collected in
Qualtrics Offline Application Support is considered complete when initial
the field on a mobile device and then
offline survey is successfully programmed and downloaded to the Offline
uploaded to Qualtrics as soon as access to
Surveys App.
an internet connection is available.
Customer Responsibilities
Create surveys that will be downloaded to the Offline Surveys App.
NOTE: Certain question types do not currently function with the offline
app. The Mobile Compatibility Advisor will indicate if the question is not
compatible with the offline app at the time of building the survey.
Online Reputation Management
Delivery Team Responsibilities
Configuration
Support the configuration of Customer's aggregator account (to be
The Qualtrics social media management
performed by a third party).
tool, customers can actively monitor the
Configure the Qualtrics social media management tool to pull aggregator
online reputation of their physical locations.
data into Customer's account.
Provide the Customer with one (1) dashboard page created from a
The tool scrubs the internet for reviews on
Qualtrics ORM template, which will display data from the social media
specific store or office locations, and feeds
management tool.
them into the Qualtrics platform for easy
visualization in Vocalize dashboards.
Customer Responsibilities
Provide all physical locations of Customer's organization to be monitored
within the social media management tool. The number of locations cannot
exceed those purchased as part of Customer's license configuration.
Agreement No. 6158
Manage dashboard access permissions and invitations, with advice and
support from Delivery Team.
Validate that dashboard data and permissions are configured correctly.
Create needed user accounts, either manually or via batch upload, and
ensure that any users who require data restrictions or role -based access
have appropriate attributes saved in the Qualtrics platform.
Configure user roles; grant role -based access to the dashboard.
Note: Integration will retrieve up to 90 days of historical data at
configuration. Dashboard page provided is a standard page created from a
Qualtrics template; customized dashboard builds must be purchased
separately.
Org Hierarchy and User Setup - per 1000
Delivery Team Responsibilities
users
Upload batch files of users with associated role/attributes.
Org Hierarchy and User Setup eliminates
the need to manually create user accounts
Customer Responsibilities
for existing user groups by uploading in
Provide a list of users and associated roles/attributes in a standard file
batches. User accounts are created with
format specified by Delivery Team.
appropriate roles and attributes as defined
by the Customer.
Predict iQ Support
Delivery Team Responsibilities
PredictlQ uses survey responses and
Provide demonstration on the use of the Predict iQ capability, including
embedded data to predict whether
the following:
individual respondents will eventually
- Creating a prediction model using a Churn embedded data value.
churn.
- Using the Churn Probability and Churn Prediction features of the
Data Analysis tab.
- The use of actions to manage real-time churn alerts.
- How to use historical data to create a Churn model.
Assist in the creation of one (1) Churn model in a single survey, and, if
desired, configure one (1) trigger based on the Churn variable.
Customer Responsibilities
Import any historical data required as part of this Project.
Create one (1) Churn variable within the Qualtrics platform.
Note: Predict iQ requires a minimum of 500 survey responses from
customers that have churned in order to predict future Churn; 5,000 or
more responses will provide best results. If this amount of data is not
available during implementation, test data may be generated. The
Customer must understand prediction models and is responsible for
deciding how Predict iQ will be configured.
Survey Best Practice Design Review
Delivery Team Responsibilities
Session
Provide eight (hours) of support from a Qualtrics approved CX Advisory
Leveraging best practices defined by the
Expert to:
Qualtrics XM Institute, a Qualtrics approved
CXAdvisoryExpert will provide best
Agreement No. 6158
practice guidance and review for one (1) - Perform one (1) session to Customer to review industry best
customer created survey. practices for CX survey design.
• Perform up to two (2) sessions to Customer for review and
feedback of the Customer's CX survey design.
Customer Team Responsibilities
Provide survey design to the Advisory Expert for review and feedback.
Survey Review Delivery Team Responsibilities
Survey review ensures your survey is Complete up to two (2) survey reviews per survey with Customer to
designed according to best practices. ensure all logic, embedded data, survey options and instrumentation are
implemented correctly for both survey experience and reporting
requirements.
Perform testing through generating test responses, survey preview, or
other appropriate in -platform means to validate the survey setup and
flow.
Customer Responsibilities
Build all required surveys and reports using the Qualtrics platform, with
advice and support from the Delivery Team.
Develop, apply and maintain any custom code (e.g., CSS, JavaScript, HTML)
applied to the survey.
Manage survey distribution through channel(s) supported by the platform
(e.g. email, SMS, etc.).
Validate that all responses are collected in the format expected before the
first project is launched.
Survey Configuration
Delivery Team Responsibilities
Survey configuration ensures your survey is
Build all required surveys and reports using the Qualtrics platform, with
designed and configured according to best
design and review input from Customer.
practices and your requirements.
Configure automated survey distribution through channel(s) supported by
the platform (e.g. email, SMS, etc.).
Perform testing through generating test responses, survey preview, or
other appropriate in -platform means to validate the survey setup and
flow.
Develop, apply and maintain any custom code (e.g., CSS, JavaScript, HTML)
applied to the survey (additional Engineering Services costs will apply for
such support to be activated)
Customer Responsibilities
Complete up to two (2) survey reviews per survey with the Delivery team
against Customer's survey experience and reporting requirements.
Validate that all responses are collected in the format expected before the
first project is launched.
Survey Data Migration (One -Time; Up to Delivery Team Responsibilities
50,000 responses) Guide the Customer in configuring up to one (1) target survey to contain
legacy/third party survey data.
Agreement No. 6158
Survey Data Migration involves the Guide the Customer in formatting legacy/third party survey data into the
managed import of suitably formatted associated Qualtrics Import format.
legacy/third party survey (response) data Guide the Customer in importing up to one (1) formatted legacy/third
into the Qualtrics platform. party survey data file into Qualtrics.
Confirm the correct import of up to one (1) legacy/third party data file into
Qualtrics.
Survey Translation Support - per language,
per survey
Multiple languages can be added to a single
survey within the Qualtrics platform,
allowing localization of survey display
language while maintaining all responses
within a single dataset. '
Tableau Integration Support
Tableau integration makes Qualtrics data
available for use in Tableau dashboards.
This integration enables you to view
Qualtrics survey data alongside all other
data included in your dashboards.
Text iQ Configuration
Customer Responsibilities
Provide the legacy/third party survey data.
Take guidance from the Delivery Team on the initial one (1) import file.
Format and import any additional legacy/third party data beyond the
initial one (1) file.
Delivery Team Responsibilities
Advise the Customer on how to use the Qualtrics platform to load survey
translations.
Assist with troubleshooting as needed.
Customer Responsibilities
Load data to Qualtrics platform.
Conduct all required translation of survey questions, messages, etc.
Delivery Team Responsibilities
Advise on the steps to connect Qualtrics with Tableau.
Customer Responsibilities
Ensure that the current version of Tableau or any of the prior 2 updates
are used for the integration.
Configure all Tableau dashboards using survey response data from the
Qualtrics platform.
Verify that Qualtrics survey -data appears successfully within the correct
Tableau environment.
Delivery Team Responsibilities
Text iQ enables search and categorization Merge topics from up to three (3) text questions into a dashboard for
of textual responses into topics. reporting purposes.
The system automatically generates Configure up to one (1) dashboard page, including up to ten (10) widgets,
recommendations, and users can manually to visualize the results of the topic analysis.
add topics using enhanced search
functionality that includes stemming and Customer Responsibilities
spell check for expanded results. Manually create topics as required for the Project.
Determine topics to include in the analysis from manually -created or
automatically recommended topics.
Note: The system will make best -effort recommendations for automatic
topic creation, though Qualtrics recommends a minimum of 10,000
comments per field for best performance of automatic topic creation.
Agreement No. 6158
Theme Configuration
Dynamic themes allow you to send surveys
that align with your brand. Themes are
made up of a logo, primary color, and
background image%olor.
Vanity URL Setup
Delivery Team Responsibilities
Create a survey theme for theCustomer, in accordance with any
limitations specified in the license terms.
Customer Responsibilities
Submit theme logos, styles, and colors using the Qualtrics Theme Builder.
Delivery Team Responsibilities
Host your Qualtrics surveys, dashboards, Coordinate efforts of the Customer IT team and Qualtrics Technical
and user accounts on a custom web address Operations team as required to set up the Vanity URL.
to ensure alignment with your company Configure Vanity URL, including certificate registration and domain setup.
brand.
Voice IQ Support
Voice IQ enables customers to analyze full-
length recordings of their contact center
conversations between customers and
agents in order to extract insights about the
experience such as topics, sentiment, and
emotion. Contact center conversations
include a treasure trove of experience data
that was previously not available through
surveys.
Voice iQ is powered by a Qualtrics partner
ecosystem.
Website Feedback Support
Website /App Feedback projects are a
great way to reach out to your website
visitors. You can create professional and
beautiful graphics that appear in special
conditions to advertise something or to
request feedback. You can also customize
when you want to approach visitors.
Note: Customer's first year license fee must be paid in full before work can
commence on vanity URL setup. This is due to the fact that Qualtrics must
purchase and register certificates for the vanity domain and make
configuration changes with their Content Delivery Network (CDN).
Delivery Team Responsibilities
Build a survey to store transcribed Voice to Text data.
Build a dashboard to allow for analysis and review of transcribed Voice to
Text data.
Create basic filters and functionality including both voice analysis and
textlQ analysis.
Customer Responsibilities
Responsibility for the installation and configuration of the third party
aggregation system.
Delivery Team Responsibilities
Support Customer in configuration of domain(s) and intercept(s)
purchased as part of this Project.
Advise Customer in obtaining code from the Qualtrics platform for use in
Website Feedback intercepts.
Review configured web intercepts to verify best practices are followed and
intercepts are ready for production.
Customer Responsibilities
Configure the web intercepts to be used for sourcing survey participants.
Build Website Feedback surveys using the Qualtrics Platform.
Deploy and maintain Website Feedback code on applicable Customer -
owned domains.
Build creative elements of Website Feedback, including popovers,
feedback tabs, side bars, etc.
Configure Website Feedback intercepts, including the logic determining
when to present creatives.
Agreement No. 6158
XM Directory Automation Support
Delivery Team Responsibilities
With XM Directory's Contact Import
Provide consultation on Managing XM Directory Automations, Configuring
Automation and Sample Distribution
one (1) Contact Import Automation, Configuring one (1) Distribution
Automation, you can create, configure,
Automation.
update, test, and review your own
Review configuration and verify best practices are followed.
automation jobs, which streamlines your
contact creation and survey distribution.
Customer Responsibilities
Edit your existing automations, delete
Provide a valid sample contact (panel) file for use with Contact Import
them, enable them, or disable them in the
Automation.
Automations tab of your Contacts.
Provide SFTP Account, unless an alternative SFTP Account has been
provided.
Configure and validate required XM Directory Automations.
Monitor all configured XM Directory Automations.
XM Directory Support
Delivery Team Responsibilities
XM Directory is a contact management
Provide consultation on contact frequency, deduplication, sample upload,
platform that allows you to create and
embedded data fields, and ideal license configuration.
update contact information in one central
Review configuration and verify best practices are followed.
database and send surveys directly to
See also XM Directory Automations Support.
mailing lists, decrease the number of
duplicate contacts easily to prevent repeat
Customer Responsibilities
uploads, and manage your global opt -outs
Manage, clean, and upload a sample file and all panel files to Qualtrics
from the directory. You can also limit the
platform.
amount of times a respondent can be
contacted by your brand to prevent
Create sample plans or weighting matrices as appropriate.
response fatigue and improve the survey
Build integrations between Qualtrics platform and Customer databases as
taking experience.
required for this Project.
XM Guided Solution & Solution Playbook
Delivery Team Responsibilities
XM Guided Solutions provide pre-
Provide Customer with access to use case specific guided
configured surveys, expert -validated
solution consisting of pre -built Survey(s) and Dashboard.
methods, and dashboards tailored to the
Provide Customer access to the use case specific solution playbook.
Customer's CX Use Case.
Conduct a 1 hour meeting to review the solution playbook with
Customer.
Customer Responsibilities
Customer can choose to use the above described Dashboard Configuration
and/or Survey Review Implementation Deliverables to support Customer
specific configurations to the Survey and Dashboard projects provided as
part of the XM Guided Solution.
If Customer chooses not to do so, then no additional configuration support
is provided for the XM solution.
Agreement No. 6158
GENERAL TERMS AND CONDITIONS FOR QUALTRICS CLOUD SERVICES ( GTC")
Between Qualtrics, LLC
(an SAP America Inc. company)
333 W. River Park Drive
Provo, Utah 84604
('Qualtrics")
And City of Ell Segundo
350 Main Street, El Segundo, CA 90245
("Customer")
1. DEFINITIONS
Capitalized terms used in this document are defined in the Glossary.
2. USAGE RIGHTS AND RESTRICTIONS
2.1 Grant of Rights.
Qualtrics grants to Customer a non-exclusive, non -transferable and world-wide right to use the Cloud
Service (including its implementation and configuration), Cloud Materials (as applicable) and
Documentation solely for Customer's and its Affiliates' internal business operations. Permitted uses and
restrictions of the Cloud Service also apply to Cloud Materials and Documentation.
2.2 Authorized Users.
Customer may permit Authorized Users to use the Cloud Service. Usage is limited to the Usage Metrics
and volumes stated in the Order Form. Access credentials for the Cloud Service may not be used by
more than one individual, but may be transferred from one individual to another if the original user is
no longer permitted to use the Cloud Service. Customer is responsible for breaches of the Agreement
caused by Authorized Users.
2.3 Acceptable Use Policy.
With respect to the Cloud Service, Customer will not:
(a) disassemble, decompile, reverse -engineer, copy, translate or make derivative works,
(b) transmit any content or data that is unlawful or infringes any intellectual property rights, or
(c) circumvent or endanger its operation or security.
2.4 Verification of Use.
Customer will monitor its own use of the Cloud Service and report any use in excess of the Usage
Metrics and volume. Qualtrics may monitor use to verify compliance with Usage Metrics, volume and
the Agreement.
2.5 Suspension of Cloud Service.
Qualtrics may suspend or limit use of the Cloud Service if continued use may result in material harm
to the Cloud Service or its users. Qualtrics will promptly notify Customer of the suspension or limitation.
Qualtrics will limit a suspension or limitation in time and scope as reasonably possible under the
circumstances.
2.6 Third Party Web Services.
The Cloud Service may include integrations with web services made available by third parties (other
than Qualtrics' Affiliates) that are accessed through the Cloud Service and subject to terms and
conditions with those third parties. These third party web services are not part of the Cloud Service
and the Agreement does not apply to them.
2.7 Mobile Access to Cloud Service.
If applicable, Authorized Users may access certain Cloud Services through mobile applications obtained
from third -party websites such as Android or Apple app store. The use of mobile applications may be
governed by the terms and conditions presented upon download/access to the mobile application and
not by the terms of the Agreement.
General Terms and Conditions for Qualtrics Cloud Services (Direct) enGlobal. v. 5-2020
Agreement No. 6158
3. QUALTRICS RESPONSIBILITIES
3.1 Provisioning.
Qualtrics provides access to the Cloud Service as described in the Agreement.
3.2 Support.
Qualtrics provides support for the Cloud Service as referenced in the Order Form.
3.3 Security.
Qualtrics will implement and maintain appropriate technical and organizational measures to protect the
personal data processed by Qualtrics as part of the Cloud Service as described in the Data Processing
Agreement attached hereto as Exhibit A ("DPA") for Cloud Services incorporated into the Order Form
in compliance with applicable data protection law.
3.4 Modifications.
(a) The Cloud Service and Qualtrics Policies may be modified by Qualtrics. Qualtrics will inform
Customer of modifications by email, the support portal, release notes, Documentation or the
Cloud Service. The information will be delivered by email if the modification is not solely an
enhancement. Modifications may include optional new features for the Cloud Service, which
Customer may use subject to the then -current Supplement and Documentation.
(b) If Customer establishes that a modification is not solely an enhancement and materially reduces
the Cloud Service, Customer may terminate its subscriptions to the affected Cloud Service by
providing written notice to Qualtrics within thirty days after receipt of Qualtrics' informational
notice.
3.5 Analyses.
Qualtrics or Qualtrics' Affiliates may create analyses utilizing, in part, Customer Data and information derived
from Customer's use of the Cloud Service and Consulting Services, as set forth below ("Analyses"). Analyses
will anonymize and aggregate information and will be treated as Cloud Materials.
Unless otherwise agreed, personal data contained in Customer Data is only used to provide the Cloud Service
and Consulting Services. Analyses may be used for the following purposes:
a) product improvement (in particular, product features and functionality, workflows and user
interfaces) and development of new Qualtrics products and services,
b) improving resource allocation and support,
c) internal demand planning,
d) training and developing machine learning algorithms,
e) improving product performance,
f) verification of security and data integrity
g) identification of industry trends and developments, creation of indices and anonymous
benchmarking
4. CUSTOMER AND PERSONAL DATA
4.1 Customer Data.
Customer is responsible for the Customer Data and entering it into the Cloud Service. Customer grants
to Qualtrics (including Qualtrics' Affiliates and subcontractors) a nonexclusive right to process Customer
Data solely to provide and support the Cloud Service.
4.2 Personal Data.
Customer will collect and maintain all personal data contained in the Customer Data in compliance with
applicable data privacy and protection laws.
4.3 Security.
Customer will maintain reasonable security standards for its Authorized Users' use of the Cloud Service.
Customer will not conduct or authorize penetration tests of the Cloud Service without advance approval
from Qualtrics.
4.4 Access to Customer Data.
(a) During the Subscription Term, Customer can access its Customer Data at any time. Customer may
export and retrieve its Customer Data in a standard format. Export and retrieval may be subject
to technical limitations, in which case Qualtrics and Customer will find a reasonable method to
allow Customer access to Customer Data.
(b) Before the Subscription Term expires, if available, Customer may use Qualtrics' self-service
export tools (as available) to perform a final export of Customer Data from the Cloud Service.
Alternatively, Customer may request data export through support ticket.
Agreement No. 6158
(c) At the end of the Agreement, Qualtrics will delete the Customer Data remaining on servers hosting
the Cloud Service unless applicable law requires retention. Retained data is subject to the
confidentiality provisions of the Agreement.
(d) In the event of third party legal proceedings relating to the Customer Data, Qualtrics will
cooperate with Customer and comply with applicable law (both at Customer's expense) with
respect to handling of the Customer Data.
5. FEES AND TAXES
5.1 Fees and Payment.
Customer will pay fees as stated in the Order Form. After prior written notice, Qualtrics may suspend
Customer's use of the Cloud Service until payment is made. Customer cannot withhold, reduce or set-
off fees owed nor reduce Usage Metrics during the Subscription Term. All Order Forms are non -
cancellable and fees non-refundable.
5.2 Taxes.
Fees and other charges imposed under an Order Form will not include taxes, all of which will be for
Customer's account. Customer is responsible for all taxes, other than Qualtrics' income and payroll
taxes. Customer must provide to Qualtrics any direct pay permits or valid tax-exempt certificates prior
to signing an Order Form. If Qualtrics is required to pay taxes (other than its income and payroll taxes),
Customer will reimburse Qualtrics for those amounts and indemnify Qualtrics for any taxes and related
costs paid or payable by Qualtrics attributable to those taxes.
6. TERM AND TERMINATION
6.1 Term.
The Subscription Term is as stated in the Order Form.
6.2 Termination.
A party may terminate the Agreement:
(a) upon thirty days written notice of the other party's material breach unless the breach is
cured during that thirty day period,
(b) as permitted under Sections 3.4(b), 7.3(b), 7.4(c), or 8.1(c) (with termination effective thirty
days after receipt of notice in each of these cases), or
(c) immediately if the other party files for bankruptcy, becomes insolvent, or makes an assignment
for the benefit of creditors, or otherwise materially breaches Sections 11 or 12.6.
6.3 Refund and Payments.
For termination by Customer or an 8.1(c) termination, Customer will be entitled to:
(a) a pro-rata refund in the amount of the unused portion of prepaid fees for the terminated
subscription calculated as of the effective date of termination, and
(b) a release from the obligation to pay fees due for periods after the effective date of termination.
6.4 Effect of Expiration or Termination.
Upon the effective date of expiration or termination of the Agreement:
(a) Customer's right to use the Cloud Service and all Qualtrics Confidential Information will end,
(b) Confidential Information of the disclosing party will be returned or destroyed as required by the
Agreement, and
(c) termination or expiration of the Agreement does not affect other agreements between the
parties.
6.5 Survival.
Sections 1, 5, 6.3, 6.4, 6.5, 8, 9, 10, 11, and 12 will survive the expiration or termination of the
Agreement.
7. WARRANTIES
7.1 Compliance with Law.
Each party warrants its current and continuing compliance with all laws and regulations applicable to it
in connection with:
(a) in the case of Qualtrics, the operation of Qualtrics' business as it relates to the Cloud Service,
and
(b) in the case of Customer, the Customer Data and Customer's use of the Cloud Service.
7.2 Good Industry Practices.
Qualtrics warrants that it will provide the Cloud Service:
Agreement No. 6158
(a) in substantial conformance with the Documentation; and
(b) with the degree of skill and care reasonably expected from a skilled and experienced global
supplier of services substantially similar to the nature and complexity of the Cloud Service.
7.3 Remedy.
Customer's sole and exclusive remedies and Qualtrics' entire liability for breach of the warranty under
Section 7.2 will be:
(a) the re -performance of the deficient Cloud Service, and
(b) if Qualtrics fails to re -perform, Customer may terminate its subscription for the affected Cloud
Service. Any termination must occur within three months of Qualtrics' failure to re -perform.
7.4 System Availability.
(a) Qualtrics warrants to maintain an average monthly system availability for the production system
of the Cloud Service as defined in the applicable service level agreement or Supplement ("SLA").
(b) Customer's sole and exclusive remedy for Qualtrics' breach of the SLA is the issuance of a credit
in the amount described in the SLA. Customer will follow Qualtrics' posted credit claim procedure.
When the validity of the service credit is confirmed by Qualtrics in writing (email permitted),
Customer may apply the credit to a future invoice for the Cloud Service or request a refund for
the amount of the credit if no future invoice is due.
(c) In the event Qualtrics fails to meet the SLA (i) for four consecutive months, or (ii) for five or more
months during any twelve months period, or (iii) at a system availability level of at least 95%
for one calendar month, Customer may terminate its subscriptions for the affected Cloud Service
by providing Qualtrics with written notice within thirty days after the failure.
7.5 Warranty Exclusions.
The warranties in Sections 7.2 and 7.4 will not apply if:
(a) the Cloud Service is not used in accordance with the Agreement or Documentation,
(b) any non -conformity is caused by Customer, or by any product or service not provided by
Qualtrics, or
(c) the Cloud Service was provided for no fee.
7.6 Disclaimer.
Except as expressly provided in the Agreement, neither Qualtrics nor its subcontractors make any
representation or warranties, express or implied, statutory or otherwise, regarding any matter,
including the merchantability, suitability, originality, or fitness for a particular use or purpose, non -
infringement or results to be derived from the use of or integration with any products or services
provided under the Agreement, or that the operation of any products or services will be secure,
uninterrupted or error free. Customer agrees that it is not relying on delivery of future functionality,
public comments or advertising of Qualtrics or product roadmaps in obtaining subscriptions for any
Cloud Service.
S. THIRD PARTY CLAIMS
8.1 Claims Brought Against Customer.
(a) Qualtrics will defend Customer against claims brought against Customer and its Affiliates by any
third party alleging that Customer's and its Affiliates' use of the Cloud Service infringes or
misappropriates a patent claim, copyright, ortrade secret right. Qualtrics will indemnify Customer
against all damages finally awarded against Customer (or the amount of any settlement Qualtrics
enters into) with respect to these claims.
(b) Qualtrics' obligations under Section 8.1 will not apply if the claim results from (i) Customer's
breach of Section 2, (ii) use of the Cloud Service in conjunction with any product or service not
provided by Qualtrics, or (iii) use of the Cloud Service provided for no fee.
(c) In the event a claim is made or likely to be made, Qualtrics may (i) procure for Customer the
right to continue using the Cloud Service under the terms of the Agreement, or (ii) replace or
modify the Cloud Service to be non -infringing without a material decrease in functionality. If these
options are not reasonably available, Qualtrics or Customer may terminate Customer's
subscription to the affected Cloud Service upon written notice to the other.
8.2 Claims Brought Against Qualtrics.
Customer will defend Qualtrics against claims brought against Qualtrics and its Affiliates and
subcontractors by any third party related to Customer Data.
Customer will indemnify Qualtrics against all damages finally awarded against Qualtrics and its Affiliates
and subcontractors (or the amount of any settlement Customer enters into) with respect to these claims.
Agreement No. 6158
8.3 Third Party Claim Procedure.
(a) The party against whom a third party claim is brought will timely notify the other party in writing
of any claim, reasonably cooperate in the defense and may appear (at its own expense) through
counsel reasonably acceptable to the party providing the defense.
(b) The party that is obligated to defend a claim will have the right to fully control the defense.
(c) Any settlement of a claim will not include a financial or specific performance obligation on, or
admission of liability by, the party against whom the claim is brought.
8.4 Exclusive Remedy.
The provisions of Section 8 state the sole, exclusive, and entire liability of the parties, their Affiliates,
Business Partners and subcontractors to the other party, and is the other party's sole remedy, with
respect to covered third party claims and to the infringement or misappropriation of third party
intellectual property rights.
9. LIMITATION OF LIABILITY
9.1 Unlimited Liability.
Neither party will exclude or limit its liability for damages resulting from:
(a) the parties' obligations under Section 8.1(a) and 8.2,
(b) unauthorized use or disclosure of Confidential Information,
(c) either party's breach of its data protection and security obligations that result in an unauthorized
use or disclosure of personal data,
(d) death or bodily injury arising from either party's gross negligence or willful misconduct, or
(e) any failure by Customer to pay any fees due under the Agreement.
9.2 Liability Cap.
Subject to Sections 9.1 and 9.3, the maximum aggregate liability of either party (or its respective
Affiliates or Qualtrics' subcontractors) to the other or any other person or entity for all events (or series
of connected events) arising in any twelve month period will not exceed the annual subscription fees
paid for the applicable Cloud Service directly causing the damage for that twelve month period. Any
"twelve month period" commences on the Subscription Term start date or any of its yearly
anniversaries.
9.3 Exclusion of Damages.
Subject to Section 9.1:
(a) neither party (nor its respective Affiliates or Qualtrics' subcontractors) will be liable to the other
-party for any special, incidental, consequential, or indirect damages, loss of good will or business
profits, work stoppage or for exemplary or punitive damages, and
(b) Qualtrics will not be liable for any damages caused by any Cloud Service provided for no fee.
9.4 Risk Allocation.
The Agreement allocates the risks between Qualtrics and Customer. The fees for the Cloud Service and
Consulting Services reflect this allocation of risk and limitations of liability.
9.5 Insurance.
During the term of the Agreement, Qualtrics using commercially reasonable efforts, shall maintain the
following insurance policies with insurer(s) having an AM Best Rating of A- or better:
(a) Commercial general liability with a limit of $1,000,000 per occurrence and $2,000,000 in
general aggregate including, but not limited to, coverage for bodily injury, death, property
damage, products and completed operations, premises/operations, contractual, and personal
and advertising injury liabilities;
(b) Commercial automobile liability with a combined single limit of $1,000,000 per occurrence
covering bodily injury, death and property damage resulting from operation of owned, non -
owned, hired or leased vehicles by Qualtrics' employees in connection with this Agreement;
(c) Workers' compensation in compliance with statutory requirements;
(d) Employer's liability with limits of $1,000,000 each accident, $1,000,000 by disease policy limit,
$1,000,000 by disease each employee;
(e) Excess/Umbrella liability with a limit of $4,000,000 per occurrence with respect to coverage
required in (a) and (b) above; and
(f) Technology professional liability with a limit of $5,000,000 per claim and in the aggregate
covering claims arising out of errors or omissions in connection with services provided by
Qualtrics as described in the Agreement and including network security and private data risks
involving unauthorized access, failure of security, transmission of malicious code, denial of
Agreement No. 6158
service attacks, and unauthorized disclosure or misappropriation of private data. The policy
shall have a retroactive date on or before the Agreement effective date or the date of
Qualtrics' first professional service, whichever is earlier. Qualtrics shall endeavor to use
commercially reasonable efforts to maintain such coverage for one (1) year following
expiration or cancellation of the Agreement.
Qualtrics shall be responsible for any deductibles or self -insured retentions under the aforementioned
policies. Following execution of the Agreement and upon request of Customer, Qualtrics shall provide
or make available for download a blanket certificate of insurance evidencing existence of the required
coverage. Qualtrics, its insurer(s) or broker(s) shall endeavor to provide Customer thirty (30) days
advance written notice in event of cancellation of policies required herein. None of the requirements
contained herein as to types or limits or Customer's approval of insurance coverage to be maintained
by Qualtrics are intended to, and shall not in any manner, limit, qualify or quantify the liabilities and
obligations assumed by Qualtrics under the Agreement.
10. INTELLECTUAL PROPERTY RIGHTS
10.1 QUALTRICS Ownership.
Qualtrics, Qualtrics' Affiliates or licensors own all intellectual property rights in and related to the Cloud
Service, Cloud Materials, Documentation, Consulting Services, design contributions, related knowledge
or processes, and any derivative works of them. All rights not expressly granted to Customer are
reserved to Qualtrics and its licensors.
10.2 Customer Ownership.
Customer retains all rights in and related to the Customer Data. Qualtrics may use Customer -provided
trademarks solely to provide and support the Cloud Service.
10.3 Non -Assertion of Rights.
Customer covenants, on behalf of itself and its successors and assigns, not to assert against Qualtrics
and its Affiliates or licensors, any rights, or any claims of any rights, in any Cloud Service, Cloud
Materials, Documentation, or Consulting Services.
11. CONFIDENTIALITY
11.1 Use of Confidential Information.
(a) The receiving party will protect all Confidential Information of the disclosing party as strictly
confidential to the same extent it protects its own Confidential Information, and not less than a
reasonable standard of care. Receiving party will not disclose any Confidential Information of the
disclosing party to any person other than its personnel, representatives or Authorized Users
whose access is necessary to enable it to exercise its rights or perform its obligations under the
Agreement and who are under obligations of confidentiality substantially similar to those in
Section 11. Customer will not disclose the Agreement or the pricing to any third party.
(b) Confidential Information of either party disclosed prior to execution of the Agreement will be
subject to Section 11.
(c) In the event of legal proceedings relating to the Confidential Information, the receiving party will
cooperate with the disclosing party and comply with applicable law (all at disclosing party's
expense) with respect to handling of the Confidential Information.
11.2 Exceptions.
The restrictions on use or disclosure of Confidential Information will not apply to any Confidential
Information that:
(a) is independently developed by the receiving party without reference to the disclosing party's
Confidential Information,
(b) is generally available to the public without breach of the Agreement by the receiving party,
(c) at the time of disclosure, was known to the receiving party free of confidentiality restrictions, or
(d) the disclosing party agrees in writing is free of confidentiality restrictions.
11.3 Publicity.
Neither party will use the name of the other party in publicity activities without the prior written consent
of the other, except that Customer agrees that Qualtrics may use Customer's name in customer listings
or quarterly calls with its investors or, at times mutually agreeable to the parties, as part of Qualtrics'
marketing efforts (including reference calls and stories, press testimonials, site visits, SAPPHIRE
participation). Customer agrees that Qualtrics may share information on Customer with its Affiliates for
Agreement No. 6158
marketing and other business purposes and that it has secured appropriate authorizations to share
Customer employee contact information with Qualtrics.
12. MISCELLANEOUS
12.1 Severability.
If any provision of the Agreement is held to be invalid or unenforceable, the invalidity or
unenforceability will not affect the other provisions of the Agreement.
12.2 No Waiver.
A waiver of any breach of the Agreement is not deemed a waiver of any other breach.
12.3 Electronic Signature.
Electronic signatures that comply with applicable law are deemed original signatures.
12.4 Regulatory Matters.
Qualtrics Confidential Information is subject to export control laws of various countries, including the
laws of the United States and Germany. Customer will not submit Qualtrics Confidential Information to
any government agency for licensing consideration or other regulatory approval, and will not export
Qualtrics Confidential Information to countries, persons or entities if prohibited by export laws.
12.5 Notices.
All notices will be in writing and given when delivered to the address set forth in an Order Form with
copy to the legal department. Notices by Qualtrics relating to the operation or support of the Cloud
Service and those under Sections 3.4 and 5.1 may be in the form of an electronic notice to Customer's
authorized representative or administrator identified in the Order Form.
12.6 Assignment.
Without Qualtrics' prior written consent, Customer may not assign or transfer the Agreement (or any
of its rights or obligations) to any party. Qualtrics may assign the Agreement to Qualtrics Affiliates.
12.7 Subcontracting.
Qualtrics may subcontract parts of the Cloud Service or Consulting Services to third parties. Qualtrics
is responsible for breaches of the Agreement caused by its subcontractors.
12.8 Relationship of the Parties.
The parties are independent contractors, and no partnership, franchise, joint venture, agency, fiduciary
or employment relationship between the parties is created by the Agreement.
12.9 Force Majeure.
Any delay in performance (other than for the payment of amounts due) caused by conditions beyond
the reasonable control of the performing party is not a breach of the Agreement. The time for
performance will be extended for a period equal to the duration of the conditions preventing
performance.
12.10 Governing Law.
The United Nations Convention on Contracts for the International Sale of Goods and the Uniform
Computer Information Transactions Act (where enacted) will not apply to the Agreement. Either party
must initiate a cause of action for any claim(s) relating to the Agreement and its subject matter within
one year from the date when the party knew, or should have known after reasonable investigation, of
the facts giving rise to the claim(s).
12.11 Entire Agreement.
The Agreement constitutes the complete and exclusive statement of the agreement between Qualtrics
and Customer in connection with the parties' business relationship related to the subject matter of the
Agreement. All previous representations, discussions, and writings (including any confidentiality
agreements) are merged in and superseded by the Agreement and the parties disclaim any reliance on
them. The Agreement may be modified solely in writing signed by both parties, except as permitted
under Section 3.4. An Agreement will prevail over terms and conditions of any Customer -issued
purchase order, which will have no force and effect, even if Qualtrics accepts or does not otherwise
reject the purchase order.
12.12 Data Processing Agreement.
Where Customer is processing personal data using the Services, the DPA shall govern the processing
of such personal data.
Agreement No. 6158
Glossary
1.1 "Affiliate" of a party means any legal entity in which a party, directly or indirectly, holds more than
fifty percent (50%) of the entity's shares or voting rights. Any legal entity will be considered an Affiliate
as long as that interest is maintained.
1.2 "Agreement" means an Order Form and documents incorporated into an Order Form.
1.3 "Authorized User" means any individual to whom Customer grants access authorization to use the
Cloud Service that is an employee, agent, contractor or representative of
(a) Customer,
(b) Customer's Affiliates, and/or
(c) Customer's and Customer's Affiliates' Business Partners.
1.4 "Business Partner" means a legal entity that requires use of a Cloud Service in connection with
Customer's and its Affiliates' internal business operations. These may include customers, distributors,
service providers and/or suppliers of Customer.
1.5 "Cloud Service" means any distinct, subscription -based, hosted, supported and operated on- demand
solution provided by Qualtrics under an Order Form.
1.6 "Cloud Materials" mean any materials provided or developed by Qualtrics (independently or with
Customer's cooperation) in the course of performance under the Agreement, including in the delivery
of any support or Consulting Services to Customer. Cloud Materials do not include the Customer Data,
Customer Confidential Information or the Cloud Service.
1.7 "Confidential Information" means
(a) with respect to Customer: (i) the Customer Data, (ii) Customer marketing and business
requirements, (iii) Customer implementation plans, and/or (iv) Customer financial information,
and
(b) with respect to Qualtrics: (i) the Cloud Service, Documentation, Cloud Materials and analyses
under Section 3.5, and (ii) information regarding Qualtrics research and development, product
offerings, pricing and availability.
(c) Confidential Information of either Qualtrics or Customer also includes information which the
disclosing party protects against unrestricted disclosure to others that (i) the disclosing party or its
representatives designates as confidential at the time of disclosure, or (ii) should reasonably be
understood to be confidential given the nature of the information and the circumstances
surrounding its disclosure.
1.8 "Consulting Services" means professional services, such as implementation, configuration, custom
development and training, performed by Qualtrics' employees or subcontractors as described in any
Order Form and which are governed by the Supplement for Consulting Services or similar agreement.
1.9 "Customer Data" means any content, materials, data and information that Authorized Users enter
into the production system of a Cloud Service or that Customer derives from its use of and stores in
the Cloud Service (e.g. Customer -specific reports). Customer Data and its derivatives will not include
Qualtrics' Confidential Information.
1.10 "Documentation" means Qualtrics' then -current technical and functional documentation as well as
any roles and responsibilities descriptions, if applicable, for the Cloud Service which is made available
to Customer with the Cloud Service.
1.11 "Order Form" means the ordering document for a Cloud Service that references the GTC.
1.12 "Qualtrics Policies" means the operational guidelines and policies applied by Qualtrics to provide
and support the Cloud Service as incorporated in an Order Form.
1.13 "Subscription Term" means the term of a Cloud Service subscription identified in the applicable Order
Form, including all renewals.
1.14 "Supplement" means as applicable, the supplemental terms and conditions that apply to the Cloud
Service and that are incorporated in an Order Form.
1.15 -Usage Metric" means the standard of measurement for determining the permitted use and
calculating the fees due for a Cloud Service as set forth in an Order Form.
Agreement No. 6158
THE PARTIES ENTER INTO THIS AGREEMENT AS OF THE LAST SIGNATURE DATE BELOW (-GTC
EFFECTIVE DATE").
CUSTOMER: CITY OF EL SEGUNDO
.._.......Name: Hank�Lu_.....__..�._www_..............................._....�.
Title: Risk Manager
Date: 9-13-21
Agreement No. 6158
Exhibit A
Data Processing Agreement
PERSONAL DATA PROCESSING AGREEMENT FOR QUALTRICS CLOUD SERVICES
This Data Processing Addendum ('DPA") is entered into
BETWEEN
(1) Customer; and
(2) Qualtrics.
1. BACKGROUND
1.1 Purpose and Application. This document is incorporated into the Agreement and forms part of a
written (including in electronic form) contract between Qualtrics and Customer. This DPA applies to
Personal Data processed by Qualtrics and its Subprocessors in connection with its provision of the Cloud
Service. This DPA does not apply to non -production environments of the Cloud Service if such
environments are made available by Qualtrics, and Customer shall not store Personal Data in such
environments.
1.2 Structure. Appendices 1 and 2 are incorporated into and form part of this DPA. They set out the agreed
subject -matter, the nature and purpose of the processing, the type of Personal Data, categories of data
subjects and the applicable technical and organizational measures.
1.3 GDPR. Qualtrics and Customer agree that it is each party's responsibility to review and adopt
requirements imposed on Controllers and Processors by the General Data Protection Regulation
2016/679 ("GDPR"), in particular with regards to Articles 28 and 32 to 36 of the GDPR, if and to the
extent applicable to Personal Data of Customer/Controllers that is processed under the DPA. For
illustration purposes, Appendix 3 lists the relevant GDPR requirements and the corresponding sections
in this DPA.
1.4 Governance. Qualtrics acts as a Processor and Customer and those entities that it permits to use the
Cloud Service act as Controllers under the DPA. Customer acts as a single point of contact and is solely
responsible for obtaining any relevant authorizations, consents and permissions for the processing of
Personal Data in accordance with this DPA, including, where applicable approval by Controllers to use
Qualtrics as a Processor. Where authorizations, consent, instructions or permissions are provided by
Customer these are provided not only on behalf of the Customer but also on behalf of any other
Controller using the Cloud Service. Where Qualtrics informs or gives notice to Customer, such
information or notice is deemed received by those Controllers permitted by Customer to use the Cloud
Service and it is Customer's responsibility to forward such information and notices to the relevant
Controllers.
2. SECURITY OF PROCESSING
2.1 Appropriate Technical and Organizational Measures. Qualtrics has implemented and will apply the
technical and organizational measures set forth in Mendjx 2. Customer has reviewed such measures
and agrees that as to the Cloud Service selected by Customer in the Order Form the measures are
appropriate taking into account the state of the art, the costs of implementation, nature, scope, context
and purposes of the processing of Personal Data.
2.2 Changes. Qualtrics applies the technical and organizational measures set forth in Appendix 2 to
Qualtrics' entire customer base hosted out of the same Data Center and receiving the same Cloud
Service. Qualtrics may change the measures set out in Appendix 2 at any time without notice so long
as it maintains a comparable or better level of security. Individual measures may be replaced by new
measures that serve the same purpose without diminishing the security level protecting Personal Data.
3. QUALTRICS OBLIGATIONS
3.1 Instructions from Customer. Qualtrics will process Personal Data only in accordance with documented
instructions from Customer. The Agreement (including this DPA) constitutes such documented initial
instructions and each use of the Cloud Service then constitutes further instructions. Qualtrics will use
reasonable efforts to follow any other Customer instructions, as long as they are required by Data
Agreement No. 6158
Protection Law, technically feasible and do not require changes to the Cloud Service. If any of the before -
mentioned exceptions apply, or Qualtrics otherwise cannot comply with an instruction or is of the opinion
that an instruction infringes Data Protection Law, Qualtrics will immediately notify Customer (email
permitted).
3.2 Processing on Legal Requirement. Qualtrics may also process Personal Data where required to do
so by applicable law. In such a case, Qualtrics shall inform Customer of that legal requirement before
processing unless that law prohibits such information on important grounds of public interest.
3.3 Personnel. To process Personal Data, Qualtrics and its Subprocessors shall only grant access to
authorized personnel who have committed themselves to confidentiality. Qualtrics and its Subprocessors
will regularly train personnel having access to Personal Data in applicable data security and data privacy
measures.
3.4 Cooperation. At Customer's request, Qualtrics will reasonably cooperate with Customer and Controllers
in dealing with requests from Data Subjects or regulatory authorities regarding Qualtrics' processing of
Personal Data or any Personal Data Breach. Qualtrics shall notify the Customer as soon as reasonably
practical about any request it has received from a Data Subject in relation to the Personal Data
processing, without itself responding to such request without Customer's further instructions, if
applicable. Qualtrics shall provide functionality that supports Customer's ability to correct or remove
Personal Data from the Cloud Service, or restrict its processing in line with Data Protection Law. Where
such functionality is not provided, Qualtrics will correct or remove any Personal Data, or restrict its
processing, in accordance with the Customer's instruction and Data Protection Law.
3.5 Personal Data Breach Notification. Qualtrics will notify Customer without undue delay after becoming
aware of any Personal Data Breach and provide reasonable information in its possession to assist
Customer to meet Customer's obligations to report a Personal Data Breach as required under Data
Protection Law. Qualtrics may provide such information in phases as it becomes available. Such
notification shall not be interpreted or construed as an admission of fault or liability by Qualtrics.
3.6 Data Protection Impact Assessment. If, pursuant to Data Protection Law, Customer (or its
Controllers) are required to perform a data protection impact assessment or prior consultation with a
regulator, at Customer's request, Qualtrics will provide such documents as are generally available for
the Cloud Service (for example, this DPA, the Agreement, audit reports or certifications). Any additional
assistance shall be mutually agreed between the Parties.
4. DATA EXPORT AND DELETION
4.1 Export and Retrieval by Customer. During the Subscription Term and subject to the Agreement,
Customer can access its Personal Data at any time. Customer may export and retrieve its Personal Data
in a standard format. Export and retrieval may be subject to technical limitations, in which case Qualtrics
and Customer will find a reasonable method to allow Customer access to Personal Data.
4.2 Deletion. Before the Subscription Term expires, Customer is required to use Qualtrics' self-service
export tools (as available) to perform a final export of Personal Data from the Cloud Service (which shall
constitute a "return" of Personal Data). At the end of the Subscription Term, Customer hereby instructs
Qualtrics to delete the Personal Data remaining on servers hosting the Cloud Service within a reasonable
time period in line with Data Protection Law (not to exceed six months) unless applicable law requires
retention.
5. CERTIFICATIONS AND AUDITS
5.1 Customer Audit. Customer or its independent third party auditor reasonably acceptable to Qualtrics
(which shall not include any third party auditors who are either a competitor of Qualtrics or not suitably
qualified or independent) may audit Qualtrics' control environment and security practices relevant to
Personal Data processed by Qualtrics only if:
(a) Qualtrics has not provided sufficient evidence of its compliance with the technical and
organizational measures that protect the production systems of the Cloud Service through
providing either: (i) a certification as to compliance with ISO 27001 or other standards (scope
as defined in the certificate); or (ii) a valid ISAE3402 and/or ISAE3000 or other SOC1-3
attestation report. Upon Customer's request audit reports or ISO certifications are available
through the third party auditor or Qualtrics;
(b) A Personal Data Breach has occurred;
(c) An audit is formally requested by Customer's data protection authority; or
(d) Mandatory Data Protection Law provides Customer with a direct audit right and provided that
Customer shall only audit once in any twelve month period unless mandatory Data Protection
Law requires more frequent audits.
Agreement No. 6158
5.2 Other Controller Audit. Any other Controller may audit Qualtrics' control environment and security
practices relevant to Personal Data processed by Qualtrics in line with Section 5.1 only if any of the
cases set out in Section 5.1 applies to such other Controller. Such audit must be undertaken through
and by Customer as set out in Section 5.1 unless the audit must be undertaken by the other Controller
itself under Data Protection Law. If several Controllers whose Personal Data is processed by Qualtrics
on the basis of the Agreement require an audit, Customer shall use all reasonable means to combine
the audits and to avoid multiple audits.
5.3 Scope of Audit. Customer shall provide at least sixty days advance notice of any audit unless
mandatory Data Protection Law or a competent data protection authority requires shorter notice. The
frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and
in good faith. Customer audits shall be limited in time to a maximum of three business days. Beyond
such restrictions, the parties will use current certifications or other audit reports to avoid or minimize
repetitive audits. Customer shall provide the results of any audit to Qualtrics.
5.4 Cost of Audits. Customer shall bear the costs of any audit unless such audit reveals a material breach
by Qualtrics of this DPA, then Qualtrics shall bear its own expenses of an audit. If an audit determines
that Qualtrics has breached its obligations under the DPA, Qualtrics will promptly remedy the breach at
its own cost.
6. SUBPROCESSORS
6.1 Permitted Use. Qualtrics is granted a general authorization to subcontract the processing of Personal
Data to Subprocessors, provided that:
(a) Qualtrics shall engage Subprocessors under a written (including in electronic form) contract
consistent with the terms of this DPA in relation to the Subprocessor's processing of Personal
Data. Qualtrics shall be liable for any breaches by the Subprocessor in accordance with the
terms of this Agreement;
(b) Qualtrics will evaluate the security, privacy and confidentiality practices of a Subprocessor prior
to selection to establish that it is capable of providing the level of protection of Personal Data
required by this DPA; and
(c) Qualtrics' list of Subprocessors in place on the effective date of the Agreement is published by
Qualtrics or Qualtrics will make it available to Customer, upon request including the name,
address and role of each Subprocessor Qualtrics uses to provide the Cloud Service.
6.2 New Subprocessors. Qualtrics' use of Subprocessors is at its discretion, provided that:
(a) Qualtrics will inform Customer in advance (by email or by posting within the Cloud Service) of
any intended additions or replacements to the list of Subprocessors including name, address
and role of the new Subprocessor; and
(b) Customer may object to such changes as set out in Section 6.3.
6.3 Objections to New Subprocessors.
(a) If Customer has a legitimate reason under Data Protection Law to object to the new
Subprocessors' processing of Personal Data, Customer may terminate the Agreement (limited
to the Cloud Service for which the new Subprocessor is intended to be used) on written notice
to Qualtrics. Such termination shall take effect at the time determined by the Customer which
shall be no later than thirty days from the date of Qualtrics' notice to Customer informing
Customer of the new Subprocessor. If Customer does not terminate within this thirty day period,
Customer is deemed to have accepted the new Subprocessor.
(b) Within the thirty day period from the date of Qualtrics' notice to Customer informing Customer
of the new Subprocessor, Customer may request that the parties come together in good faith
to discuss a resolution to the objection. Such discussions shall not extend the period for
termination and do not affect Qualtrics' right to use the new Subprocessor(s) after the thirty
day period.
(c) Any termination under this Section 6.3 shall be deemed to be without fault by either party and
shall be subject to the terms of the Agreement.
6.4 Emergency Replacement. Qualtrics may replace a Subprocessor without advance notice where the
reason for the change is outside of Qualtrics' reasonable control and prompt replacement is required for
Agreement No. 6158
security or other urgent reasons. In this case, Qualtrics will inform Customer of the replacement
Subprocessor as soon as possible following its appointment. Section 6.3 applies accordingly.
7. INTERNATIONAL PROCESSING
7.1 Conditions for International Processing. Qualtrics shall be entitled to process Personal Data,
including by using Subprocessors, in accordance with this DPA outside the country in which the Customer
is located as permitted under Data Protection Law.
7.2 Standard Contractual Clauses. Where (i) Personal Data of an EEA or Swiss based Controller is
processed in a country outside the EEA, Switzerland and any country, organization or territory
acknowledged by the European Union as a safe country with an adequate level of data protection under
Art. 45 GDPR, or where (ii) Personal Data of another Controller is processed internationally and such
international processing requires an adequacy means under the laws of the country of the Controller
and the required adequacy means can be met by entering into Standard Contractual Clauses, then:
(a) Qualtrics and Customer enter into the Standard Contractual Clauses;
(b) Customer enters into the Standard Contractual Clauses with each relevant Subprocessor as
follows, either (i) Customer joins the Standard Contractual Clauses entered into by Qualtrics
and the Subprocessor as an independent owner of rights and obligations ("Accession Model")
or, (ii) the Subprocessor (represented by Qualtrics) enters into the Standard Contractual Clauses
with Customer ("Power of Attorney Model"). The Power of Attorney Model shall apply if and
when Qualtrics has expressly confirmed that a Subprocessor is eligible for it through the
Subprocessor list provided under Section 6.1(c), or a notice to Customer; and/or
(c) Other Controllers whose use of the Cloud Services has been authorized by Customer under the
Agreement may also enter into Standard Contractual Clauses with Qualtrics and/or the relevant
Subprocessors in the same manner as Customer in accordance with Sections 7.2 (a) and (b)
above. In such case, Customer will enter into the Standard Contractual Clauses on behalf of
the other Controllers.
7.3 Relation of the Standard Contractual Clauses to the Agreement. Nothing in the Agreement shall
be construed to prevail over any conflicting clause of the Standard Contractual Clauses. For the
avoidance of doubt, where this DPA further specifies audit and subprocessor rules in sections 5 and 6,
such specifications also apply in relation to the Standard Contractual Clauses.
7.4 Governing Law of the Standard Contractual Clauses. The Standard Contractual Clauses shall be
governed by the law of the country in which the relevant Controller is incorporated.
8. DOCUMENTATION; RECORDS OF PROCESSING
Each party is responsible for its compliance with its documentation requirements, in particular maintaining
records of processing where required under Data Protection Law. Each party shall reasonably assist the other
party in its documentation requirements, including providing the information the other party needs from it in a
manner reasonably requested by the other party (such as using an electronic system), in order to enable the
other party to comply with any obligations relating to maintaining records of processing.
9. DEFINITIONS
Capitalized terms not defined herein will have the meanings given to them in the Agreement.
9.1 "Controller" means the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the processing of Personal Data; for the
purposes of this DPA, where Customer acts as processor for another controller, it shall in relation to
Qualtrics be deemed as additional and independent Controller with the respective controller rights and
obligations under this DPA.
9.2 "Data Center" means the location where the production instance of the Cloud Service is hosted for the
Customer in the region agreed in an Order Form.
9.3 "Data Protection Law" means the applicable legislation protecting the fundamental rights and
freedoms of persons and their right to privacy with regard to the processing of Personal Data under the
Agreement (and includes, as far as it concerns the relationship between the parties regarding the
Agreement No. 6158
processing of Personal Data by Qualtrics on behalf of Customer, the GDPR as a minimum standard,
irrespective of whether the Personal Data is subject to GDPR or not).
9.4 "Data Subject" means an identified or identifiable natural person as defined by Data Protection Law.
9.5 "EEA" means the European Economic Area, namely the European Union Member States along with
Iceland, Liechtenstein and Norway.
9.6 "Personal Data" means any information relating to a Data Subject which is protected under Data
Protection Law. For the purposes of the DPA, it includes only personal data which is (i) entered by
Customer or its Authorized Users into or derived from their use of the Cloud Service, or (ii) supplied to
or accessed by Qualtrics or its Subprocessors in order to provide support under the Agreement. Personal
Data is a sub -set of Customer Data (as defined under the Agreement).
9.7 "Personal Data Breach" means a confirmed (1) accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of or unauthorized third -party access to Personal Data or (2) similar incident
involving Personal Data, in each case for which a Controller is required under Data Protection Law to
provide notice to competent data protection authorities or Data Subjects.
9.8 "Processor" means a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the controller, be it directly as processor of a controller or indirectly as
subprocessor of a processor which processes personal data on behalf of the controller.
9.9 -Standard Contractual Clauses" or sometimes also referred to the "EU Model Clauses" means the
(Standard Contractual Clauses (processors)) or any subsequent version thereof published by the
European Commission (which will automatically apply). The Standard Contractual Clauses current as of
the effective date of the Agreement are attached hereto as Appendix 4.
9.10 "Subprocessor" means Qualtrics affiliates and third parties engaged by Qualtrics in connection with
the Cloud Service and which process Personal Data in accordance with this DPA.
Agreement No. 6158
Appendix 1 to the DPA and, if applicable, the Standard Contractual Clauses
Data Exporter
The Data Exporter is the Customer who subscribed to a Cloud Service that allows Authorized Users to enter,
amend, use, delete or otherwise process Personal Data. Where the Customer allows other Controllers to also
use the Cloud Service, these other Controllers are also Data Exporters.
Data Importer
Qualtrics and its Subprocessors provide the Cloud Service that includes the following support:
Qualtrics and its Affiliates support the Cloud Service data centers remotely from Qualtrics' locations specified
in Qualtrics' Security White Paper (which is available upon request). Support includes:
• Monitoring the Cloud Service
• Backup & restoration of Customer Data stored in the Cloud Service
• Release and development of fixes and upgrades to the Cloud Service
• Monitoring, troubleshooting and administering the underlying Cloud Service infrastructure and database
• Security monitoring, network -based intrusion detection support, penetration testing
Qualtrics and its Affiliates provide support when a Customer requests support because the Cloud Service is
not available or not working as expected for some or all Authorized Users. Qualtrics answers phones and
performs basic troubleshooting, and handles support tickets in a tracking system that is separate from the
production instance of the Cloud Service.
Data Subjects
The Data Exporter solely determines the categories of Data Subjects which may include: employees,
contractors, business partners or other individuals having Personal Data stored in the Cloud Service.
Data Categories
Customer solely determines the categories of data per Cloud Service subscribed. Customer can configure the
data fields during implementation of the Cloud Service or as otherwise provided by the Cloud Service. The
transferred Personal Data typically relates to the following categories of data: name, phone numbers, e- mail
address, time zone, address data, system access / usage / authorization data, company name, contract data,
invoice data, plus any application -specific data that Authorized Users enter into the Cloud Service.
Special Data Categories (if appropriate)
The transferred Personal Data concerns the following special categories of data: As set out in the Agreement
(including the Order Form) if any.
Processing Operations / Purposes
The transferred Personal Data is subject to the following basic processing activities:
• use of Personal Data to set up, operate, monitor and provide the Cloud Service (including operational and
technical Support)
• provision of Services;
• communication to Authorized Users
• storage of Personal Data in dedicated Data Centers (multi -tenant architecture)
• upload any fixes or upgrades to the Cloud Service
• back up of Personal Data
• computer processing of Personal Data, including data transmission, data retrieval, data access
• network access to allow Personal Data transfer
• execution of instructions of Customer in accordance with the Agreement.
Agreement No. 6158
Appendix 2 to the DPA and, if applicable, the Standard Contractual Clauses — Technical and
Organizational Measures
1. TECHNICAL AND ORGANIZATIONAL MEASURES
The following sections define Qualtrics' current technical and organizational measures. Qualtrics may change
these at any time without notice so long as it maintains a comparable or better level of security. Individual
measures may be replaced by new measures that serve the same purpose without diminishing the security
level protecting Personal Data.
1.1 Physical Access Control. Unauthorized persons are prevented from gaining physical access to
premises, buildings or rooms where data processing systems that process and/or use Personal Data
are located.
Measures:
• Qualtrics protects its assets and facilities using the appropriate means based on the Qualtrics Security
Policy
• In general, buildings are secured through access control systems (e.g., smart card access system).
• As a minimum requirement, the outermost entrance points of the building must be fitted with a certified
key system including modern, active key management.
• Depending on the security classification, buildings, individual areas and surrounding premises may be
further protected by additional measures. These include specific access profiles, video surveillance,
intruder alarm systems and biometric access control systems.
• Access rights are granted to authorized persons on an individual basis according to the System and Data
Access Control measures (see Section 1.2 and 1.3 below). This also applies to visitor access. Guests and
visitors to Qualtrics buildings must register their names at reception and must be accompanied by
authorized Qualtrics personnel.
• Qualtrics employees and external personnel must wear their ID cards at all Qualtrics
locations.
AddWonall me uses Ior Dat r .,
• All Data Centers adhere to strict security procedures enforced by guards, surveillance cameras, motion
detectors, access control mechanisms and other measures to prevent equipment and Data Center
facilities from being compromised. Only authorized representatives have access to systems and
infrastructure within the Data Center facilities. To protect proper functionality, physical security
equipment (e.g., motion sensors, cameras, etc.) undergo maintenance on a regular basis.
• Qualtrics and all third -party Data Center providers log the names and times of authorized personnel
entering Qualtrics' private areas within the Data Centers.
1.2 System Access Control. Data processing systems used to provide the Cloud Service must be
prevented from being used without authorization.
Measures:
• Multiple authorization levels are used when granting access to sensitive systems, including those storing
and processing Personal Data. Authorizations are managed via defined processes according to the
Qualtrics Security Policy
• All personnel access Qualtrics' systems with a unique identifier (user ID).
• Qualtrics has procedures in place so that requested authorization changes are implemented only in
accordance with the Qualtrics Security Policy (for example, no rights are granted without authorization).
In case personnel leaves the company, their access rights are revoked.
• Qualtrics has established a password policy that prohibits the sharing of passwords, governs responses
to password disclosure, and requires passwords to be changed on a regular basis and default passwords
to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined
minimum requirements and are stored in encrypted form. In the case of domain passwords, the system
forces a password change every six months in compliance with the requirements for complex passwords.
Each computer has a password -protected screensaver.
• The company network is protected from the public network by firewalls.
Agreement No. 6158
• Qualtrics uses up—to-date antivirus software at access points to the company network (for e-mail
accounts), as well as on all file servers and all workstations.
• Security patch management is implemented to provide regular and periodic deployment of relevant
security updates. Full remote access to Qualtrics' corporate network and critical infrastructure is protected
by strong authentication.
1.3 Data Access Control. Persons entitled to use data processing systems gain access only to the Personal
Data that they have a right to access, and Personal Data must not be read, copied, modified or removed
without authorization in the course of processing, use and storage.
Measures:
• As part of the Qualtrics Security Policy, Personal Data requires at least the same protection level as
"confidential" information according to the Qualtrics Information Classification standard.
• Access to Personal Data is granted on a need -to -know basis. Personnel have access to the information
that they require in order to fulfill their duty. Qualtrics uses authorization concepts that document grant
processes and assigned roles per account (user ID). All Customer Data is protected in accordance with
the Qualtrics Security Policy.
• All production servers are operated in the Data Centers or in secure server rooms. Security measures
that protect applications processing Personal Data are regularly checked. To this end, Qualtrics conducts
internal and external security checks and penetration tests on its IT systems.
• An Qualtrics security standard governs how data and data carriers are deleted or destroyed once they
are no longer required.
1.4 Data Transmission Control. Except as necessary for the provision of the Cloud Services in accordance
with the Agreement, Personal Data must not be read, copied, modified or removed without
authorization during transfer. Where data carriers are physically transported, adequate measures are
implemented at Qualtrics to provide the agreed -upon service levels (for example, encryption and lead -
lined containers).
Measures:
• Personal Data in transfer over Qualtrics internal networks is protected according to Qualtrics Security
Policy.
• When data is transferred between Qualtrics and its customers, the protection measures for the transferred
Personal Data are mutually agreed upon and made part of the relevant agreement. This applies to both
physical and network based data transfer. In any case, the Customer assumes responsibility for any data
transfer once it is outside of Qualtrics-controlled systems (e.g. data being transmitted outside the firewall
of the Qualtrics Data Center).
1.5 Data Input Control. It will be possible to retrospectively examine and establish whether and by whom
Personal Data have been entered, modified or removed from Qualtrics data processing systems.
Measures:
• Qualtrics only allows authorized personnel to access Personal Data as required in the course of their duty.
• Qualtrics has implemented a logging system for input, modification and deletion, or blocking of Personal
Data by Qualtrics or its subprocessors within the Cloud Service to the extent technically possible.
1.6 Job Control. Personal Data being processed on commission (i.e., Personal Data processed on a
customer's behalf) is processed solely in accordance with the Agreement and related instructions of the
customer.
Measures:
•Qualtrics uses controls and processes to monitor compliance with contracts between Qualtrics and its
customers, subprocessors or other service providers.
• As part of the Qualtrics Security Policy, Personal Data requires at least the same protection level as
"confidential" information according to the Qualtrics Information Classification standard.
• All Qualtrics employees and contractual subprocessors or other service providers are contractually bound
to respect the confidentiality of all sensitive information including trade secrets of Qualtrics customers
and partners.
Agreement No. 6158
1.7 Availability Control. Personal Data will be protected against accidental or unauthorized destruction
or loss.
Measures:
Qualtrics employs regular backup processes to provide restoration of business -critical systems as and
when necessary.
• Qualtrics uses uninterrupted power supplies (for example: UPS, batteries, generators, etc.) to protect
power availability to the Data Centers.
• Qualtrics has defined business contingency plans for business -critical processes and may offer disaster
recovery strategies for business critical Services as further set out in the Documentation or incorporated
into the Order Form for the relevant Cloud Service.
• Emergency processes and systems are regularly tested.
1.8 Data Separation Control.
Measures:
• Qualtrics uses the technical capabilities of the deployed software (for example: multi- tenancy, system
landscapes) to achieve data separation among Personal Data originating from multiple customers.
• Customer (including its Controllers) has access only to its own data.
1.9 Data Integrity Control. Personal Data will remain intact, complete and current during processing
activities.
Measures:
Qualtrics has implemented a multi -layered defense strategy as a protection against unauthorized modifications.
In particular, Qualtrics uses the following to implement the control and measure sections described above:
• Firewalls;
• Security Monitoring Center;
• Antivirus software;
• Backup and recovery;
• External and internal penetration testing;
• Regular external audits to prove security measures.
Agreement No. 6158
Appendix 3 to the DPA and, if applicable, the Standard Contractual Clauses
The following table sets out the relevant Articles of GDPR and corresponding terms of the DPA for illustration
purposes only.
Article of
Section of
Click on link to see Section
GDPR
DPA
28(1)
2 and
Security of . ing and Armendix 2,
Appendix 2
Technical and Organizational Measures.
SU,BPROCESSORS
28(2), 28(3) (d)
6
and 28 (4)
28 (3) sentence
1.1 and
burp se an Agolication. Str�gc�are,
1
Appendix 1,
1.2
28(3) (a) and
3.1 and 3.2
In Aructsions from Customer. Pr spa
29
LegaIR, uirenent.
28(3) (b)
3.3
Personnel.
28(3) (c) and 32
2 and
Sgrit o Pr cessina and i2s�ux�.
Appendix 2
Tech i al an ° n i M as,, re ..
28(3) (e)
3.4
Cpp peratlon.
28(3) (f) and
2 and
ecurit of Pra in and Aendi x_2 ,
32-36
Appendix 2,
PP
Teti V and OroanIz tional lea . re .
Personal Data Breach, Notification. Data
ProtectloqIMpact Assessment.
3.5, 3.6
�28(3) (g)
4
Cute poi and De .tLQ!
28(3) (h)
5
E ,TIFICA IIONS_ M1 AUDITS
28 (4)
6
SUBPROCESSO.RS
30
8
ocumentati6i Rgg, rds of ocessi
46(2) (c)
7.2
Standard Contractual Clauses.
Agreement No. 6158
Appendix 4
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
(Pursuant to Commission Decision of 5 February 2010 (2010/87/EU))
For the purposes of Article 26(2) of Directive 95/46/EC (or, after 25 May 2018, Article 44 et seq. of Regulation
2016/79) for the transfer of personal data to processors established in third countries which do not ensure an
adequate level of data protection
Customer also on behalf of the other Controllers
(in the Clauses hereinafter referred to as the 'data exporter')
and
Qualtrics, LLC
(in the Clauses hereinafter referred to as the 'data importer')
each a'party'; together 'the parties'
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with
respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the
data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject'
and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data
intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the
Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of
Article 25(1) of Directive 95/46/EC;
(d) 'the sub -processor' means any processor engaged by the data importer or by any other sub -processor of
the data importer who agrees to receive from the data importer or from any other sub -processor of the data
importer personal data exclusively intended for processing activities to be carried out on behalf of the data
exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the
written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and
freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data
applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal
data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access,
in particular where the processing involves the transmission of data over a network, and against all other
unlawful forms of processing.
Agreement No. 6158
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified
in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third -party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to
(e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third -party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause
6, Clause 7,Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has
ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter
by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter,
in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub -processor this Clause, Clause 5(a) to (e) and (g), Clause
6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer
have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has
assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which
it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them
against such entity. Such third -party liability of the subprocessor shall be limited to its own processing operations
under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data
subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be
carried out in accordance with the relevant provisions of the applicable data protection law (and, where
applicable, has been notified to the relevant authorities of the Member State where the data exporter is
established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct
the data importer to process the personal data transferred only on the data exporter's behalf and in accordance
with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational
security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures
are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration,
unauthorised disclosure or access, in particular where the processing involves the transmission of data over a
network, and against all other unlawful forms of processing, and that these measures ensure a level of security
appropriate to the risks presented by the processing and the nature of the data to be protected having regard
to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
Agreement No. 6158
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be
informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country
not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub -processor pursuant to Clause
5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the
transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of
Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub -
processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract
contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub -processing, the processing activity is carried out in accordance with Clause 11
by a subprocessor providing at least the same level of protection for the personal data and the rights of data
subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions
and the Clauses; if it cannot provide such compliance for whatever reasons, it
agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled
to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the
instructions received from the data exporter and its obligations under the contract and that in the event of a
change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations
provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which
case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2
before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority
unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of
a law enforcement investigation;
(i i) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request,
unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the
personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the
processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing
activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed
Agreement No. 6158
of independent members and in possession of the required professional qualifications bound by a duty of
confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for
sub -processing, unless the Clauses or contract contain commercial information, in which case it may remove
such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description
of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub -processing, it has previously informed the data exporter and obtained its prior
written consent;
(i) that the processing services by the sub -processor will be carried out in accordance with Clause 11;
U) to send promptly a copy of any sub -processor agreement it concludes under the Clauses to the data
exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the
obligations referred to in Clause 3 or in Clause 11 by any party or sub -processor is entitled to receive
compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against
the data exporter, arising out of a breach by the data importer or his sub- processor of any of their obligations
referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist
in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the
data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations
of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights
against such entity.
The data importer may not rely on a breach by a sub -processor of its obligations in order to avoid its own
liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to
in paragraphs 1 and 2, arising out of a breach by the sub -processor of any of their obligations referred to in
Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or
ceased to exist in law or have become insolvent, the sub -processor agrees that the data subject may issue a
claim against the data sub -processor with regard to its own processing operations under the Clauses as if it
were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations
of the data exporter or data importer by contract or by operation of law, in which case the data subject can
enforce its rights against such entity. The liability of the sub -processor shall be limited to its own processing
operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third -party beneficiary rights and/or
claims compensation for damages under the Clauses, the data importer will accept the decision of the data
subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the
supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is
established.
Agreement No. 6158
2. The parties agree that the choice made by the data subject will not prejudice its substantive or
procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests
or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer,
and of any sub -processor, which has the same scope and is subject to the same conditions as would apply to
an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable
to it or any sub -processor preventing the conduct of an audit of the data importer, or any sub -processor,
pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in
Clause 5(b).
Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses
on business related issues where required as long as they do not contradict the Clause.
Clause 11
Sub -processing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data
exporter under the Clauses without the prior written consent of the data exporter. Where the data importer
subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way
of a written agreement with the sub- processor which imposes the same obligations on the sub -processor as
are imposed on the data importer under the Clauses. Where the sub -processor fails to fulfill its data protection
obligations under such written agreement the data importer shall remain fully liable to the data exporter for the
performance of the sub -processor's obligations under such agreement.
2. The prior written contract between the data importer and the sub -processor shall also provide for a
third -party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the
claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer
because they have factually disappeared or have ceased to exist in law or have become insolvent and no
successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or
by operation of law. Such third -party liability of the sub -processor shall be limited to its own processing
operations under the Clauses.
3. The provisions relating to data protection aspects for sub -processing of the contract referred to in
paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub -processing agreements concluded under the Clauses and
notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall
be available to the data exporter's data protection supervisory authority.
Agreement No. 6158
Clause 12
Obligation after the termination of personal data-processing services
1. The parties agree that on the termination of the provision of data-processing services, the data importer
and the sub -processor shall, at the choice of the data exporter, return all the personal data transferred and the
copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it
has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or
part of the personal data transferred. In that case, the data importer warrants that it will guarantee the
confidentiality of the personal data transferred and will not actively process the personal data transferred
anymore.
2. The data importer and the sub -processor warrant that upon request of the data exporter and/or of the
supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in
paragraph 1.