Data Processing Agreement
Last Updated: June 17, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Mindshare Studio LLC ("Processor," "we") and the subscriber that uses AutoSurvey ("Controller," "you"), and governs our processing of personal data on your behalf. Where the Agreement and this DPA conflict regarding personal data processed on your behalf, this DPA controls.
1. Roles and scope
- You are the controller (GDPR) / business (CCPA/CPRA) for personal data of survey respondents collected through AutoSurvey. We are the processor / service provider, acting only on your documented instructions.
- Your use of AutoSurvey as configured (designing surveys, collecting and storing responses, reporting, export, and the optional AI authoring features) constitutes your documented instructions.
- This DPA does not apply to data for which we are an independent controller (e.g., your account, billing, and service-usage data), which is governed by the Privacy Policy.
2. Subject matter, nature, and purpose
- Subject matter: provision of the AutoSurvey survey-building and survey-runtime service.
- Nature and purpose: hosting survey design content; generating and running surveys; storing survey responses within your own Salesforce org; aggregating responses for in-product analytics; enabling subscriber-initiated export; and, where enabled, AI authoring features operating on survey design content only.
- Duration: the term of the Agreement, plus the limited periods in §9.
3. Data subjects and personal data
- Data subjects: your survey respondents (and any individuals identified in survey content).
- Categories: as determined by you when you design each survey — may include identifiers and contact details, free-text answers, and any other data your survey collects. You are responsible for not collecting special-category/regulated data unless lawfully entitled and appropriately safeguarded.
Important data-location fact: Survey responses are stored only in your own Salesforce org. We do not receive, store, or transmit response data to our control plane, and we do not send responses to any AI sub-processor. The personal data we process outside your org is limited to survey design content (hosted in Google Sheets; sent as prompts to an AI provider for AI features) and the account/usage data covered by the Privacy Policy.
4. Our obligations
We will: process personal data only on your documented instructions; ensure authorized persons are bound by confidentiality; implement appropriate security measures (§7); respect the conditions in §5 for sub-processors; assist you with data-subject requests (§6) and with security, breach-notification, and impact-assessment obligations; delete or return personal data per §9; and make available information reasonably necessary to demonstrate compliance and allow audits (§8).
5. Sub-processors
You provide general authorization for us to engage the sub-processors below. We impose substantially similar data-protection obligations on each and remain responsible for their performance. We will give notice of intended changes with a reasonable period to object on reasonable data-protection grounds.
| Sub-processor | Role / processing | Data categories |
|---|---|---|
| Salesforce, Inc. | Hosts the AutoSurvey control plane (our org): provisioning, licensing, AI-key custody, usage metering | Subscriber/tenant metadata; encrypted AI keys; usage telemetry |
| Google LLC | Hosts survey design content (Sheets/Drive, managed Workspace); optional Gemini AI provider | Survey design content; AI prompts (design content) |
| OpenAI, L.L.C. | AI authoring (question generation, field-name suggestions) | AI prompts = survey design content only — not respondent answers |
- The subscriber's own Salesforce org, where responses are stored, is the Controller's infrastructure and is not our sub-processor.
- BYOK AI: when you use your own AI key, AI requests go directly from your org to your AI provider under your own agreement with that provider; in that configuration the AI provider is not engaged by us as a sub-processor for those calls.
- If we introduce a feature that sends respondent responses to a sub-processor, we will update this list and notify you before it takes effect.
6. Data-subject requests
Taking into account the nature of processing, we will assist you, insofar as possible, to fulfill your obligation to respond to data-subject requests. Because responses are stored in your own Salesforce org, you can directly access, correct, export, and delete respondent data. If we receive a request directly from a respondent, we will not respond except to direct them to you, and will inform you where appropriate.
7. Security measures
- Least-privilege, private-by-default access to response objects (Private sharing; admin/reporting access only via explicit, scoped permission sets);
- Token-gated runtime sessions (unguessable, server-validated tokens; no record IDs in URLs; hashed resume secrets);
- Secrets stored via Salesforce Named/External Credentials and encrypted fields, never returned to the browser;
- Secrets/tokens redacted from logs; security events recorded;
- Auto-escaped rendering and formula-injection neutralization on export.
8. Audits
We will make available information reasonably necessary to demonstrate compliance and, on reasonable prior notice and subject to confidentiality, allow you (or a mutually agreed auditor) to verify compliance, or where required by a supervisory authority.
9. Return and deletion of data
- Responses in your org: You control retention and deletion of responses in your own Salesforce org. On uninstall of the managed package, AutoSurvey's managed objects and the response data they hold are removed per Salesforce's standard uninstall behavior; a customer-owned mapped reporting object and its data remain. Export any data you wish to retain before uninstalling.
- Control-plane / account data: On termination, we will delete or return personal data we hold as processor within a commercially reasonable period, except where retention is required by law.
10. International transfers
Where processing involves cross-border transfer of personal data, the parties will rely on an appropriate transfer mechanism (e.g., Standard Contractual Clauses or an applicable data-transfer framework), as reflected in §5.
11. Breach notification
We will notify you without undue delay after becoming aware of a personal-data breach affecting personal data processed on your behalf, and will provide information reasonably available to assist you in meeting your own notification obligations.
12. Liability; order of precedence
Liability under this DPA is subject to the limitations in the Agreement. This DPA, the Privacy Policy, and the Terms of Service together state the parties' agreement on these matters; for respondent personal data processed on your behalf, this DPA prevails over conflicting terms.
13. Contact
Data-protection contact: support@mindsharestudio.com · Mindshare Studio LLC.
This DPA supplements the AutoSurvey Terms of Service and Privacy Policy.