Data Processing Agreement

Last updated: July 5, 2026

This DPA governs FitSignal's processing of survey-respondent personal data on behalf of customers (the controllers). It forms part of our Terms of Service at /terms.

1. Parties & roles

This Data Processing Agreement ("DPA") is between the Customer (the "Controller") and GroundForm Software LLC, a Wyoming limited liability company trading as FitSignal (the "Processor"), and applies whenever FitSignal processes personal data on the Customer's behalf under the Terms of Service at /terms.

The Customer is the controller of respondent personal data — the names, email addresses, persona and segment attributes, and survey responses of the Customer's own end-users — and determines the purposes and means of processing. FitSignal is the processor of that data and acts only on the Customer's documented instructions, which include the Terms of Service, this DPA, and use of the product's features.

For data about the Customer's own workspace and team — account and authentication records, billing and subscription data, support correspondence, and marketing-site analytics — FitSignal is an independent controller. That processing is described in our Privacy Policy at /privacy and is not governed by this DPA.

Our contact for data-protection matters under this DPA is support@fitsignal.com. Registered address: GroundForm Software LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA.

2. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or in Applicable Data Protection Law. In this DPA:

  • "Applicable Data Protection Law" means all data-protection and privacy laws that apply to the processing under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the GDPR as retained in UK law and the UK Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and applicable US state privacy laws such as the California Consumer Privacy Act as amended ("CCPA").
  • "Controller" means the Customer, which determines the purposes and means of processing the Personal Data.
  • "Processor" means FitSignal (GroundForm Software LLC), which processes Personal Data on the Controller's behalf.
  • "Personal Data" means the personal data within Customer Data that FitSignal processes on the Controller's behalf under the Terms of Service, as described in Annex 1.
  • "Respondent" means an end-user or customer of the Controller who is invited to, or completes, a survey run through FitSignal. Respondents are identified individuals: their contact details and attributes are supplied by the Controller, or they respond through a tokenized personal link, the Controller's shareable survey link, or the embeddable widget.
  • "Data Subject" means an individual to whom Personal Data relates — for example a Respondent or one of the Controller's administrators.
  • "Sub-processor" means a third party engaged by FitSignal to process Personal Data on the Controller's behalf, as listed on the Subprocessors page at /subprocessors (Annex 3).
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed under this DPA.
  • "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission in Decision 2021/914 for the transfer of personal data to third countries.
  • "UK Addendum" means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
  • "Restricted Transfer" means a transfer of Personal Data to a country or organization not benefiting from an adequacy decision under Applicable Data Protection Law.

3. Relationship to the Terms

This DPA forms part of, and is governed by, the Terms of Service at /terms. It applies to FitSignal's processing of Personal Data on the Controller's behalf. If there is any conflict between this DPA and the rest of the Terms on a matter of personal-data processing, this DPA prevails — it sits first in the order of precedence set out in the Terms. Where the Standard Contractual Clauses apply, they prevail over this DPA to the extent of any conflict.

4. Subject matter, nature & duration

Subject matter: provision of the FitSignal product-market fit (PMF) and NPS survey and analytics platform. Nature & purpose: delivering surveys to the Controller's Respondents by email, shareable survey link, and embeddable widget; collecting and storing survey responses and response metadata; computing PMF and NPS analytics; and running AI Improvement Analysis over free-text answers on the Controller's behalf. Duration: for as long as FitSignal provides the service to the Customer, plus the deletion period in Section 15. Details are in Annex 1.

5. Controller obligations

The Controller warrants and agrees that:

  • it has a lawful basis under Applicable Data Protection Law for uploading Respondent contact details and attributes to FitSignal and for inviting Respondents to surveys;
  • it has given Respondents any privacy notice required by Applicable Data Protection Law covering the use of FitSignal as its processor;
  • its instructions to FitSignal comply with Applicable Data Protection Law, and it is responsible for the accuracy and quality of the Personal Data it supplies;
  • it will not instruct FitSignal to process special categories of personal data (for example health, political, or religious data); such data may appear incidentally in free-text answers, and is handled under the controls in Annex 2; and
  • its use of survey sending complies with the Acceptable Use Policy at /acceptable-use, including honoring Respondent unsubscribe and opt-out requests where required.

6. Processor obligations

FitSignal will:

  • process Personal Data only on the Controller's documented instructions, including for transfers, unless required by law (in which case we'll inform the Controller unless legally prohibited);
  • ensure personnel authorized to process the data are bound by confidentiality;
  • implement the technical and organizational measures in Annex 2;
  • assist the Controller by appropriate technical and organizational measures, insofar as possible and taking into account the nature of processing, to respond to data-subject requests (Section 9);
  • assist the Controller in ensuring compliance with its obligations on security of processing, notification of a Personal Data Breach, data protection impact assessments, and prior consultation with a supervisory authority (Articles 32 to 36 GDPR), taking into account the nature of processing and the information available to FitSignal;
  • notify the Controller of a Personal Data Breach as set out in Section 8;
  • make available the information necessary to demonstrate compliance and allow for audits as described in Section 10.

7. Sub-processors

The Controller gives FitSignal general authorization to engage the Sub-processors listed on our Subprocessors page at /subprocessors (Annex 3). Each Sub-processor is bound by data-protection terms no less protective than this DPA. We will give at least 30 days' notice of intended additions or replacements — by updating the Subprocessors page and emailing workspace account owners — during which the Controller may object on reasonable data-protection grounds; if we can't resolve the objection, the Controller may terminate the affected service.

FitSignal remains responsible for its Sub-processors' performance of their data-protection obligations.

8. Personal data breaches

FitSignal will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will describe, to the extent known and as it becomes available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its effects.

Where Respondent data is involved, the Controller is responsible for any notification to data subjects and supervisory authorities; FitSignal will provide reasonable assistance so the Controller can meet those obligations. FitSignal's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.

9. Data-subject requests

Respondents are identified individuals, and the FitSignal dashboard lets the Controller view, export, and delete Respondent records and their survey responses directly. Most data-subject requests — access, portability, rectification, and erasure — can therefore be fulfilled by the Controller itself using the product. Where the built-in tooling is not sufficient, FitSignal will assist the Controller by appropriate technical and organizational measures, insofar as possible; contact support@fitsignal.com.

If FitSignal receives a request directly from a data subject (for example a Respondent) relating to the Controller's Personal Data, it will, where lawful, refer the request to the Controller rather than respond itself, and will not disclose the Personal Data except on the Controller's instructions or as required by law.

10. Audit

On reasonable written request (no more than once a year, unless required by a supervisory authority or following a Personal Data Breach), FitSignal will make available the information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. This is satisfied through written responses, policies, summaries of measures, and the descriptions in Annex 2. FitSignal does not hold a SOC 2 or ISO certification and does not represent that it does; audit rights under this Section are met by documentation and written responses rather than on-site inspection.

11. US state privacy laws (service provider terms)

This Section applies where the Customer is a "business" (or equivalent) and FitSignal is a "service provider" or "processor" under the CCPA or another US state privacy law. Terms in quotation marks have the meaning given in those laws.

FitSignal processes personal information only to provide the service under the Terms (the "business purpose"), and on the Customer's behalf. FitSignal will not:

  • "sell" or "share" personal information, and does not exchange it for money or other valuable consideration or for cross-context behavioral advertising;
  • retain, use, or disclose personal information for any purpose other than the business purpose, or outside the direct business relationship with the Customer, except as permitted by law;
  • combine personal information received from the Customer with personal information from any other source, except as permitted by the CCPA for a service provider; and
  • pool one customer's data with another's, or use survey content to build any cross-customer dataset or benchmark or to train AI models (our AI sub-processor, Anthropic, does not use API inputs or outputs to train its models).

FitSignal certifies that it understands and will comply with these restrictions. FitSignal will assist the Customer in responding to verifiable consumer requests and will notify the Customer if it determines it can no longer meet its obligations under Applicable Data Protection Law. The Customer may take reasonable and appropriate steps to stop and remediate unauthorized processing.

12. International transfers

Customer Data is processed and stored in the United States — FitSignal runs a single primary database region in the US. Where a transfer of Personal Data (for example, of EEA, UK, or Swiss Respondents) is a Restricted Transfer, the parties rely on the following safeguards, which are incorporated into this DPA by reference:

  • for transfers from the EEA, the EU Standard Contractual Clauses — Module Two (controller to processor) between the Controller and FitSignal, and Module Three (processor to processor) for onward transfers to Sub-processors;
  • for transfers of UK data, the UK Addendum (or the IDTA where applicable) to the SCCs;
  • for transfers of Swiss data, the SCCs as amended by the Swiss Federal Data Protection and Information Commissioner's addendum (with references to the GDPR read as references to the FADP, and the Swiss authority as competent authority); and
  • an adequacy decision where the destination country benefits from one, in which case the SCCs are not required for that transfer.

Annex 1 and Annex 2 supply the information required by the SCC appendices (parties, description of processing, and technical and organizational measures); the Subprocessors page at /subprocessors (Annex 3) identifies the Sub-processors and their locations. Where the SCCs apply, they prevail over this DPA to the extent of any conflict, and their docking, audit, and option clauses operate consistently with Sections 7, 9, and 10 of this DPA.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the exclusions and limitations of liability in the Terms of Service. Any reference in those limitations to liability under the Terms includes liability under this DPA, and the parties' aggregate liability across the Terms and this DPA is subject to a single combined cap as stated in the Terms. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law, including a data subject's rights.

14. General

We may update this DPA to reflect changes in the service, our Sub-processors, or Applicable Data Protection Law; we will update the "last updated" date and give notice of material changes, and we will not make changes that materially reduce the protections in this DPA without notice. The list of authorized Sub-processors is maintained on the Subprocessors page at /subprocessors (Annex 3), which is kept current and forms part of this DPA. Except where the Standard Contractual Clauses require a different governing law or forum, this DPA is governed by, and disputes are resolved under, the governing law and dispute-resolution terms of the Terms of Service — the laws and courts of the State of Wyoming, United States.

15. Return & deletion

This DPA remains in effect for as long as FitSignal processes Personal Data on the Controller's behalf. Survey responses are retained while the Customer's account is active, or until the Customer deletes them through the product. On termination, and at the Controller's choice, FitSignal will delete or return the Personal Data and delete existing copies within 30 days of a verified account-closure request, unless retention is required by law.

  • Generated export files are automatically deleted from storage after 7 days, independently of account status.
  • Short-lived encrypted infrastructure backups are purged on a rolling basis by our managed sub-processors.
  • Billing records are retained by Paddle, our Merchant of Record, as required by law; Paddle acts as an independent controller for checkout and invoicing data.

Annex 1 — Processing details

  • Categories of data subjects: the Customer's end-users and customers who are invited to, or respond to, surveys (Respondents); the Customer's administrators and team members.
  • Categories of personal data: Respondent contact details (names and email addresses supplied by the Customer); persona and segment attributes the Customer assigns (for example role, plan, or customer segment); survey responses (PMF and NPS ratings and free-text answers); response metadata (device type, locale, user agent); and email delivery and engagement events for survey sends.
  • Special categories: not intentionally collected; free-text answers may incidentally contain sensitive information — handled under the confidentiality and PII-redaction controls in Annex 2.
  • Purposes of processing: operating PMF and NPS surveys on the Customer's behalf — delivering surveys by email, shareable survey link, and embeddable widget; collecting and storing responses and response metadata; computing analytics; and running AI Improvement Analysis (per-response sentiment and competitor extraction, and clustering of improvement themes from free-text answers) using Anthropic's Claude models after PII redaction.
  • Frequency: continuous for the duration of the service.
  • Duration: for the term of the service to the Customer, plus the return-and-deletion period in Section 15 (within 30 days after a verified account-closure request; short-lived encrypted backups purged on a rolling basis).

For the purposes of the SCC appendices: Annex I.A (parties) is the Controller (Customer) as data exporter and GroundForm Software LLC as data importer; Annex I.B (description of transfer) is set out in this Annex 1; Annex I.C (competent supervisory authority) is the authority of the Controller's EEA establishment, or where the Controller is not EEA-established, an authority determined under the SCCs (and the ICO for UK data, the FDPIC for Swiss data); and Annex II (technical and organizational measures) is set out in Annex 2.

Annex 2 — Technical & organizational measures

  • Encryption in transit (TLS) and at rest on a managed Postgres database (Neon, United States).
  • Strict per-organization tenant isolation: every query is scoped to the owning organization.
  • Role-based access control and authentication through a managed identity provider (Clerk); administrator sessions are authenticated and internal access is least-privilege.
  • Rate limiting and abuse protection on public endpoints (Upstash Redis).
  • Regex-based PII redaction — email addresses, phone numbers, and URLs (the domain is kept) — applied to survey text before any of it is sent to the AI sub-processor; content hashing avoids re-processing unchanged text; the AI sub-processor (Anthropic) does not use API inputs or outputs to train its models.
  • Error monitoring with session replay in which all text is masked.
  • Data exports delivered via time-limited presigned URLs and automatically deleted from storage after 7 days.
  • Reputable managed Sub-processors for hosting, database, email, background jobs, and object storage, each bound by its own data processing agreement (Annex 3); resilience and short-lived encrypted backups are provided by those managed services.

Annex 3 — Authorized sub-processors

The current list of authorized Sub-processors, with purposes and locations, is maintained on our Subprocessors page at /subprocessors and forms part of this DPA. Changes to the list are notified as described in Section 7.

How to put this in place

This DPA applies automatically to customers who use FitSignal to run surveys — it is executed by using the service, and no signature is required. If your organization needs a countersigned copy, contact support@fitsignal.com.


Related: Privacy Policy · Terms of Service · Cookie Policy · Subprocessors · Acceptable Use · Refund Policy