1. Scope
This DPA applies to Ranx's processing of Customer Data where data-protection laws require processor, service provider, or contractor terms. It supplements the applicable customer agreement and controls if there is a conflict on data-processing obligations.
2. Roles
The customer is the controller or business for Customer Data. Ranx is the processor, service provider, or contractor for Customer Data processed on the customer's behalf. Ranx is an independent controller or business for account, billing, website, security, support, and operational data described in the Privacy Policy.
3. Processing details
Subject matter: operation of the Ranx employee engagement, survey, ranking, driver, action, lift, research, and related SaaS services.
Duration: the term of the customer agreement plus any retention period required for deletion, export, backup, legal compliance, or dispute resolution.
Nature and purpose: hosting, storing, syncing, analyzing, ranking, summarizing, securing, supporting, and maintaining Customer Data to provide Ranx.
Data subjects: customer administrators, employees, survey respondents, invited participants, customer contacts, and other individuals whose information is submitted or connected by the customer.
Data categories: account data, employee and organization metadata, source-system data, connector metadata, survey content, responses, free-text comments, consent records, usage logs, audit logs, diagnostic data, and support communications.
4. Customer instructions
Ranx will process Customer Data only on documented customer instructions, including the customer agreement, product configuration, authorized users' actions, support requests, and written instructions, unless law requires otherwise.
5. Confidentiality
Ranx will ensure that personnel authorized to process Customer Data are bound by confidentiality obligations or are subject to appropriate professional or statutory confidentiality obligations.
6. Subprocessors
The customer authorizes Ranx to use subprocessors to provide the service. Ranx will impose data-protection obligations on subprocessors that are appropriate to the nature of their processing. The current public list is available at www.ranx.app/subprocessors.
7. Security measures
Ranx will maintain commercially reasonable technical and organizational measures designed to protect Customer Data against unauthorized access, loss, alteration, and disclosure. Measures may include encryption, access controls, logging, backup practices, monitoring, vulnerability management, and incident response procedures.
8. Assistance
Taking into account the nature of processing and information available to Ranx, Ranx will reasonably assist customers with data-subject requests, security obligations, breach notifications, data protection impact assessments, and consultations with supervisory authorities where required by law.
9. International transfers
If Customer Data is transferred internationally and data-protection law requires a transfer mechanism, the parties will use an appropriate safeguard such as standard contractual clauses, an adequacy mechanism, or another lawful transfer basis.
10. Return and deletion
At the customer's choice and subject to the agreement, product capabilities, backups, and legal requirements, Ranx will return or delete Customer Data after the services end. Backup deletion may follow ordinary backup lifecycle processes.
