TestimintTestimint

Data Processing Agreement

Effective Date: January 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between SIZORAX LTD, a company registered in England and Wales (company number 16955799), trading as Testimint ("Processor", "we", "us", or "our") and the entity agreeing to these terms ("Controller", "you", or "your") for the provision of the Testimint platform services.

This DPA applies to the extent that we process Personal Data on your behalf as a Data Processor under the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and/or the EU General Data Protection Regulation (EU 2016/679) ("EU GDPR"), collectively referred to as "Data Protection Laws".

1. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by Data Protection Laws
  • "Data Subject" means the individual to whom Personal Data relates (in this context, testimonial authors)
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
  • "Supervisory Authority" means the Information Commissioner's Office (ICO) in the UK, or relevant data protection authority in other jurisdictions

2. Scope and Roles

2.1 Scope of Processing

This DPA applies to Personal Data processed in connection with:

  • Testimonial content submitted through your projects
  • Testimonial author information (names, email addresses, job titles, companies)
  • Media files containing personal data (photographs, videos, audio recordings)
  • Consent records and submission metadata

2.2 Roles and Responsibilities

You are the Data Controller: You determine the purposes and means of processing testimonial data. You are responsible for:

  • Ensuring you have a lawful basis for collecting and processing testimonial data
  • Providing appropriate privacy notices to testimonial authors
  • Obtaining necessary consents where required
  • Responding to Data Subject rights requests
  • Notifying relevant Supervisory Authorities of data breaches where required

We are the Data Processor: We process testimonial data only on your documented instructions. We are responsible for:

  • Processing Personal Data only as instructed by you and as necessary to provide the Service
  • Implementing appropriate technical and organisational security measures
  • Assisting you in responding to Data Subject requests
  • Notifying you of any Data Breaches without undue delay
  • Ensuring our personnel are bound by confidentiality obligations

3. Details of Processing

3.1 Subject Matter

The processing of testimonial data submitted through the Testimint platform for the purpose of enabling you to collect, manage, and display customer testimonials.

3.2 Duration

Processing will continue for the duration of your use of the Service. Upon termination, we will delete or return Personal Data in accordance with Section 11 of this DPA.

3.3 Nature and Purpose

  • Collection and storage of testimonial submissions
  • Display of testimonials through widgets and public pages
  • AI-powered analysis (when enabled by you): transcription, summarisation, sentiment analysis
  • Analytics and reporting on testimonial performance
  • Integration with third-party services you configure

3.4 Types of Personal Data

  • Identity data: names, job titles, company names
  • Contact data: email addresses
  • Visual data: photographs, video recordings, profile images
  • Audio data: voice recordings, audio testimonials
  • Content data: testimonial text, ratings, reviews
  • Technical data: IP addresses, consent timestamps, submission metadata

3.5 Categories of Data Subjects

Testimonial authors: individuals who submit testimonials through your projects, typically your customers, clients, or users.

4. Your Obligations as Controller

You warrant and represent that:

  • You have a valid lawful basis under Article 6 of UK GDPR/EU GDPR for the collection and processing of testimonial data
  • You have provided appropriate privacy notices to Data Subjects informing them of how their data will be processed
  • Where consent is the lawful basis, you have obtained valid, freely given, specific, informed, and unambiguous consent
  • You have obtained necessary consents or permissions for any media content (images, videos, audio) containing personal data
  • Your instructions to us comply with Data Protection Laws
  • You will respond to Data Subject requests in accordance with Data Protection Laws

5. Our Obligations as Processor

5.1 Processing Instructions

We will process Personal Data only on your documented instructions, unless required to do so by applicable law. Your instructions are documented in this DPA, our Terms of Service, Privacy Policy, and through your use and configuration of the Service.

5.2 Confidentiality

We ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit using TLS/SSL
  • Encryption of Personal Data at rest
  • Access controls and authentication mechanisms
  • Regular testing and evaluation of security measures
  • Secure development practices
  • Employee security training and awareness
  • Incident response procedures

5.4 Assistance with Data Subject Rights

We will assist you in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. We provide tools within the Service to help you manage and export testimonial data.

5.5 Assistance with Compliance

We will assist you in ensuring compliance with your obligations under Articles 32-36 of UK GDPR/EU GDPR, including:

  • Security of processing (Article 32)
  • Notification of data breaches to the Supervisory Authority (Article 33)
  • Communication of data breaches to Data Subjects (Article 34)
  • Data protection impact assessments (Article 35)
  • Prior consultation with Supervisory Authorities (Article 36)

6. Sub-processors

6.1 Authorised Sub-processors

You provide general authorisation for us to engage Sub-processors to process Personal Data on your behalf. Our current list of Sub-processors is set out in our Sub-processor List.

6.2 Sub-processor Changes

We will notify you of any intended additions or replacements of Sub-processors at least 30 days before the change takes effect, giving you the opportunity to object. If you have reasonable grounds to object, we will work with you to address your concerns. If we cannot address your concerns, you may terminate the affected services.

6.3 Sub-processor Obligations

We ensure that Sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA. We remain fully liable for the acts and omissions of our Sub-processors.

7. International Transfers

7.1 Transfer Mechanisms

Where Personal Data is transferred outside the UK or EEA to countries not subject to an adequacy decision, we ensure appropriate safeguards are in place:

  • UK Transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
  • EEA Transfers: European Commission Standard Contractual Clauses (SCCs)
  • Supplementary Measures: Additional technical and organisational measures where required following transfer impact assessments

7.2 OpenAI Transfers

If you enable AI features, testimonial data will be transferred to OpenAI in the United States. This transfer is governed by Standard Contractual Clauses. You acknowledge that by enabling AI features, you are instructing us to make this transfer on your behalf.

8. Data Breach Notification

8.1 Notification to Controller

We will notify you without undue delay (and in any event within 48 hours) after becoming aware of a Data Breach affecting Personal Data we process on your behalf. Our notification will include:

  • A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
  • Contact details for obtaining further information
  • A description of the likely consequences of the breach
  • A description of measures taken or proposed to address the breach and mitigate its effects

8.2 Your Notification Obligations

As Data Controller, you are responsible for determining whether a breach must be notified to the Supervisory Authority (within 72 hours under Article 33) and/or to affected Data Subjects (under Article 34). We will provide reasonable assistance with such notifications.

9. Audits and Inspections

9.1 Audit Information

We will make available to you all information reasonably necessary to demonstrate compliance with our obligations under this DPA and Data Protection Laws. This may include:

  • Security certifications and audit reports
  • Completed security questionnaires
  • Documentation of security measures and policies
  • Records of Sub-processor due diligence

9.2 Audit Rights

You may audit our compliance with this DPA, subject to reasonable notice (at least 30 days), during normal business hours, and no more than once per year unless required by a Supervisory Authority or following a Data Breach. You shall bear your own costs of any audit. Audits shall be conducted in a manner that minimises disruption to our operations.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement (Terms of Service). Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such liability cannot be limited by law.

11. Data Return and Deletion

11.1 During the Agreement

You may export your testimonial data at any time using the export features provided in the Service. You may delete individual testimonials, projects, or all data at any time.

11.2 Upon Termination

Upon termination of the Agreement, at your choice, we will:

  • Return: Provide you with an export of all Personal Data in a commonly used, machine-readable format; and/or
  • Delete: Delete all Personal Data, including copies, unless retention is required by applicable law

We will complete deletion within 90 days of termination, except that Personal Data may persist in backups for a further period not exceeding 90 days, after which it will be automatically deleted.

12. General Provisions

12.1 Precedence

In the event of any conflict between this DPA and the Agreement (Terms of Service), this DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data.

12.2 Amendments

We may update this DPA from time to time to reflect changes in Data Protection Laws or our processing activities. We will notify you of material changes at least 30 days before they take effect.

12.3 Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12.4 Severability

If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

13. Contact

For questions about this DPA or our data processing practices, please contact us through our Contact Page.

Data Processing Agreement | Testimint