Data Processing Agreement

Last updated as of March 6, 2023


This data processing agreement (“DPA”), including the annex below, is part of our Terms of Use and Sale for Businesses and applies only to the extent stated within them (see the Privacy and data use section).


Words or expressions defined in “quotation marks” have the same meanings each time they are used in this DPA. Unless we say otherwise below, any words or expressions that are defined in the Terms of Use and Sale for Businesses have the same meanings when used in this DPA too.

  • Applicable Data Protection Law” means all laws and regulations applicable to Thingtesting’s processing of Relevant Data under theTerms of Use and Sale for Businesses, including the GDPR and any legislation and/or regulations implementing, or made under or pursuant to the GDPR, such as the UK GDPR or the UK Data Protection Act 2018.
  • Personal Data”, “Special Categories of Personal Data”, “Controller” and “Processor” have the meanings given in the GDPR.
  • Relevant Data” means personal data as described in the annex below.
  • Thingtesting”, “we”, “us” or “our” means Thingtesting, Inc.

Relationship between you and Thingtesting

1. To the extent that Thingtesting delivers review invitation services to you and you are a Controller of the Relevant Data under GDPR, then you (the Controller) appoint Thingtesting as a Processor to process that Relevant Data.

2. This DPA will apply to you and us for as long as the Terms of Use and Sale for Businesses apply to you, or for as long as we process Relevant Data on your behalf – whichever is longer.


3. You instruct Thingtesting to process the Relevant Data in accordance with this DPA and only for the purpose described in the annex below (or as otherwise may be agreed between you and Thingtesting in writing) (the “Purpose”). Thingtesting may not process the Relevant Data for any other purpose, unless it is required to under EU law, EU member state law or UK law. In that case, Thingtesting will write to you about why it needs to process the Relevant Data, unless it is restricted by law from informing you.

4. If Thingtesting believes that an instruction given by you violates the Applicable Data Protection Law, Thingtesting will let you know immediately.

5. Thingtesting is not currently aware of being subject to legislation that would prevent it from fulfilling the DPA, but it will let you know without undue delay if that changes or is expected to change.

Transfers of Relevant Data

6. Thingtesting will not transfer Relevant Data outside of the European Economic Area and the UK unless it has taken necessary measures to ensure that the transfer complies with the Applicable Data Protection Law. These measures may include transferring the Relevant Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

Prohibited data

7. You agree that you won’t disclose to Thingtesting for processing any Personal Data for which you do not have the rights, permissions or consents required under Applicable Data Protection Law to enable Thingtesting to lawfully process it.


8. Thingtesting will ensure that any person that it authorizes to process the Relevant Data will keep the Relevant Data confidential under a statutory obligation of confidentiality or other commitment.

Security practices

9. Thingtesting implements appropriate technical and organizational measures that ensure a level of security appropriate to the risk and protect the Relevant Data from being:

  • accidentally or unlawfully destroyed, lost or altered,
  • disclosed or made available without authorization, or
  • otherwise processed in violation of the Applicable Data Protection Law.

11. Thingtesting will also comply with any other applicable data security requirements that are directly imposed on it, including the data security requirements of the country in which Thingtesting is established and where the data processing will be performed.

12. The appropriateness of the technical and organizational security measures will be based on:

  • the current state of the art;
  • the cost of their implementation; and
  • the nature, scope, context and purposes of processing, as well as the likelihood of risks and the impact on the data protection rights and freedoms of data subjects.

13. On your request, Thingtesting will provide you with sufficient information to enable you to check that Thingtesting is complying with its obligations under the DPA, including that it has implemented the technical and organizational security measures described above.


14. You may at your own cost appoint an independent expert who (so long as the expert isn’t a competitor of Thingtesting) will be given access to Thingtesting’s premises and the information necessary to audit whether Thingtesting complies with its obligations under the DPA - including whether the appropriate technical and organizational security measures have been implemented.

15. You’ll need to let us know at least 14 days before you want your expert to have access. And, before we give them access, they’ll need to enter a customary non-disclosure agreement with Thingtesting that ensures that they treat all information they obtain or receive from Thingtesting and/or its affiliates confidentially - and may only share that information with you.

16. Any findings or reports created on the basis of the expert’s inspection and audit must be shared with Thingtesting and will be treated as confidential information.

Requests from authorities

17. At your request, Thingtesting will assist you in the event of an investigation by a regulator, if such investigation relates to the Processing of Personal Data by Thingtesting on your behalf.

Security incidents

19. Thingtesting will, without undue delay after becoming aware of the facts, inform you in writing about any suspicion or finding of a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Relevant Data transmitted, stored or otherwise processed by Thingtesting.

Cooperation and data subjects’ rights

20. Thingtesting will use commercially reasonable efforts to promptly assist you with the handling of any requests from data subjects under Chapter III of the GDPR and, where commercially practicable, under any other Applicable Data Protection Law, including requests for access, rectification, blocking or deletion, which relates to our processing of the Relevant Data.

21. If Thingtesting receives such a request, Thingtesting will not respond to it other than to inform the requesting data subject:

  • whether a review invitation email has been sent to the data subject on your behalf; and
  • that he/she should submit his/her request to you, given that you will be responsible for responding to these requests.

22. Thingtesting will use commercially reasonable efforts to assist you with meeting the other obligations that may be imposed on you under EU law, EU member state law or UK law related to data processing where our assistance is necessary for you to comply with your obligations. This includes providing reasonable cooperation to you in connection with any data protection impact assessment that may be required in accordance with article 35 and 36 of the GDPR.

23. Thingtesting will also provide information related to the provision of the services to authorities or your external advisors and auditors if this is necessary for the performance of their duties in accordance with EU law, EU member state law or laws in the UK.

24. In the annex below, Thingtesting has stated the servers, offices etc. used to provide the services under the Terms of Use and Sale for Businesses. You may request information about the servers, offices used by Thingtesting in connection with these services and Thingtesting will respond within 30 days.


25. Thingtesting may engage third-party sub-processors to process the Relevant Data for the Purpose, provided that Thingtesting imposes data protection obligations on each sub-processor that require it to protect the Relevant Data to at least the same standard imposed on Thingtesting in this DPA, including requiring such sub-processors to only process Relevant Data to the extent required to perform their obligations. Thingtesting will use commercially reasonable efforts to inform you of any intended changes (and allow you the opportunity to object) concerning the addition or replacement of a sub-processor, and your continued use of the platform will constitute your approval of any such sub-processors.

28. Thingtesting will be liable for any breach of this DPA that is caused by an act, error or omission of one or more of its sub-processors.

Deletion or return of Relevant Data

29. Thingtesting will retain the Relevant Data for the following periods:

  • 30 days for all BCC emails; and
  • 3 years for all other Relevant Data.

30. After these periods have ended, or on your earlier request, Thingtesting will immediately return or delete (including anonymize) the Relevant Data in a manner and form decided by Thingtesting, acting reasonably. This won’t apply to the extent that Thingtesting is required by applicable law to retain some or all of the Relevant Data.

Data Protection Officer

You can reach our data protection officer by sending an email to: [email protected]



  • Providing you with one or more of our review invitation services, as defined in the Terms of Use and Sale for Businesses (when you send (or we send on your behalf) invitations to your consumers asking them to write a review on our platform about your services and/or your products).

Categories of data subjects

  • Your consumers

Categories of Personal Data

  • Name
  • Email address
  • Reference number, such as an order ID or similar
  • Any other Personal Data included in the order confirmation messages that you send to your consumers who make purchases from you.

Special Categories of Personal Data

Thingtesting does not intentionally collect or process any Special Categories of Personal Data, as it is not needed for the purposes of providing you with the review invitation services. However, Special Categories of Personal Data may be processed if you choose to include this data within the order confirmation messages that you send to your consumers who make purchases from you and the type of review invitation service used involves Thingtesting being copied on such messages.