Governing Services Agreement

Previous versions:

LAST UPDATED: August 4, 2022

“Affiliate” means any entity which directly or indirectly controls, is controlled by or is under common control with an entity.  “Control” for purposes of the preceding sentence means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.     

“Article 28” means article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679).

“Customer” or “you” means the customer accepting this Agreement and identified on the cover page of this Agreement.

“Customer Data” means all data (including Personal Data and End User data) that is provided to Momentive by, or on behalf of, Customer through Customer’s use of the Services, and any data that third parties submit to Customer through the Services.

“CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 - 1798.199).

“Data Protection Impact Assessment” means a data protection impact assessment as referred to in article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679).

“Data Protection Legislation” means (i) the GDPR and all other applicable EU, EEA or European single market Member State laws or regulations or any update, amendment or replacement of same that apply to processing of personal data under this Agreement; (ii) all U.S. laws and regulations that apply to processing of personal data under this Agreement including but not limited to CCPA; (iii) all laws and regulations that apply to processing of personal data under this Agreement from time to time in place in the United Kingdom and Canada, and the terms "controller”, “data subject”, "data protection impact assessment", “personal data”, “process”, “processing”, “processor”, "supervisory authority" have the same meanings as in the GDPR and with respect to CCPA (as defined above). 

“End Users” means Customer’s employees, agents, independent contractors, and other individuals authorized by Customer to access and use the Services.

“Intellectual Property Rights” means current and future worldwide rights under patent, copyright, design rights, trademark, trade secrets, domain names and other similar rights, whether registered or unregistered.

“Momentive” means the Momentive entity defined in Section 14 (Momentive Contracting Entity).

“Order Form” means an order form, sales order, sales quote, or similar document referencing and made under this Agreement and signed by the parties.

“Personal Data” means information relating to a living individual who is, or can be, reasonably identified from information, either alone or in conjunction with other information (a "Data Subject"), within Customer’s control and which is stored, collected or processed within one of Customer’s Momentive End User accounts.

“Services” means the products and services offered by Momentive and ordered by Customer on an Order Form.

“SSTs” means service-specific terms that apply to specific Services located at https://www.surveymonkey.com/mp/legal/which-terms-apply/ and that are incorporated into and form a part of this Agreement.

“Standard Contractual Clauses” means the “Standard Contractual Clauses” annexed to the European Commission Decision of: (i) 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR or (ii) until such times as Momentive has entered into the Standard Contractual Clauses outlined at the 5 February 2010 for the Transfer of Customer Personal Data to Processors established in Third Countries under Directive 95/46/EC and where the UK GDPR applies, the applicable standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs") or (iii) such other standard contractual clauses or contract terms as may be amended or approved now or in the future for the purposes of facilitating transfer of personal data across borders.   

2.1 Provision of Services. Momentive will provide the Services to Customer in accordance with this Agreement, including any Order Forms and any applicable SSTs.

2.2 Order Forms. The parties may enter into Order Forms under this Agreement to purchase Services.  Customer’s Affiliates may enter into Order Forms under this Agreement.  Any such Order Form may be signed by Momentive or a Momentive Affiliate pursuant to the requirements under Section 14.  Any reference in the Agreement to “Customer” will refer to the Customer entity signing the Order Form and any reference in the Agreement to “Momentive” will refer to the Momentive contracting entity signing the Order Form.  Each Order Form will incorporate the terms and conditions of this Agreement and will be a separate contract between the entities entering into the Order Form.

2.3 Third-Party Services. If Customer integrates the Services with any non-Momentive-provided third-party service (such as a third party’s service that uses an application programming interface (API)), Customer acknowledges that such third-party service might access or use Customer Data and Customer permits the third-party service provider to access Customer Data as required for the interoperation of that third-party service with the Services.  Customer is solely responsible for the use of such third-party services and any data loss or other losses it may suffer as a result of using any such services.

3.1 License and Term.

(a) License. Where Services are sold to Customer as a subscription, Momentive grants Customer a non-exclusive, non-transferable worldwide right to access and use the Services during the subscription term, subject to the terms of this Agreement.

(b) Subscription Term. The initial term of each subscription is specified on the Order Form. Subscriptions will automatically renew at the end of each subscription term for additional periods equal to one year, unless either party gives the other written notice of non-renewal at least 30 days before the end of the then-current subscription term.

(c) Subscription Units Added Mid-subscription. An Order Form may be used to add more subscription units (e.g. seats or packages) to a subscription during a subscription term.  The per unit pricing for those additional subscription units will be as specified on the Order Form of the underlying subscription (or, absent such specification, at the same per unit pricing as the underlying subscription pricing).  Any such additional subscription units will renew or terminate on the same date as the underlying subscription.  Subscription units relating to a Service cannot be decreased during a subscription term for that Service.

4.1 Changes to Services. Momentive continually changes and improves the Services. Momentive will provide Customer with prior written notice if Momentive makes a change to the Service(s) resulting in a material decrease in core functionality used by Momentive’s general customer base. In such event, the parties agree to work together to minimize the impact of such change to Customer.

5.1 Fees. Customer will pay to Momentive all applicable fees for the Services specified in each Order Form. Except as otherwise specified in this Agreement or prohibited by applicable law, payment obligations are non-cancelable, and fees paid are not refundable.

5.2 Invoicing and Payment Terms. Payment terms shall be specified in each Order Form. An invoice will be issued upon execution of the Order Form. Multi-year orders and renewals will be invoiced on an annual basis.

5.3 Taxes. All amounts payable by Customer under this Agreement are exclusive of any applicable taxes, levies, duties, or similar governmental assessments of any nature (including value-added, sales, and use  taxes, but excluding withholding taxes and taxes based on Momentive’s income, property, or employees) (“Taxes”) that may arise in connection with Customer’s purchases under this Agreement.  If any such Taxes arise, Customer will pay such Taxes in addition to all other amounts payable under this Agreement, unless Customer provides Momentive with a valid tax exemption certificate or other documentary proof, issued by an appropriate taxing authority, that no tax should be charged. If Customer is required by law to withhold any Taxes from its payments to Momentive for a Momentive tax liability, Customer must provide Momentive with an official tax receipt or other appropriate documentation to support such payments.  If there is a Momentive tax liability or related Momentive tax penalty that is supported through an official tax receipt or other appropriate documentation provided by Customer to Momentive, then Momentive may gross-up Customer’s invoice amount by the amount of the Momentive tax liability or related tax penalty.

5.4 Currency. All monetary amounts in this Agreement are denominated in the currency stated on the Order Form. Fee payments by Customer must be received by Momentive in the same currency as such fees were billed.

5.5 Overdue Fees. Momentive may charge Customer interest on overdue fees (excluding amounts disputed reasonably and in good faith) at the rate of 1.5% per month (or the highest rate permitted by law, if less) on the amount overdue.  If any good faith, undisputed amount owed by Customer is overdue by thirty (30) days or more, Momentive may limit functionality or suspend provision of Services to Customer until such amounts are paid in full.

5.6 Overage Fees.  During the subscription term, Momentive may review the number of seats and/or responses utilized and discuss with the Customer options for purchasing additional units. Customer agrees to pay for either: (i) the additional seat units which will be at the per unit overages pricing as specified on the Order Form for the underlying subscription (or, absent such specification, at the same per unit overages pricing as the underlying subscription pricing), or (ii) the additional response bundles applicable based on usage.

6.1 Customer Responsibilities.

(a) Account Security.  Customer is responsible for maintaining the confidentiality of its own passwords and any other credentials used by it and its End Users to access the Services.  Customer will use commercially reasonable efforts to prevent unauthorized use of the Services and will terminate any unauthorized use of which it becomes aware. Customer will notify Momentive promptly if Customer becomes aware of any unauthorized access to its accounts.

(b) End User Activities. Customer is responsible for ensuring that its End Users comply with this Agreement. Customer is responsible for the acts of its End Users and any activity occurring in its End User accounts (other than activity that Momentive is directly responsible for which is not performed in accordance with Customer’s instructions).

(c) One Individual per Account.  End User accounts and passwords may not be shared and may only be used by one individual per account.

6.2 Acceptable Uses by Customer. Customer agrees to comply with the Acceptable Uses Policy located at https://www.surveymonkey.com/mp/legal/acceptable-uses-policy/.

6.3 Third Party Requests. The parties may from time to time receive a request from a third party for records related to Customer’s use of the Services, including information in a Customer End User account or identifying information about a Customer End User, excluding Data Subject access requests as provided for under the GDPR (“Third Party Request”).  Third Party Requests include search warrants, subpoenas, and other forms of legal process.

Customer is responsible for responding to Third Party Requests via its own access to the information, and will only contact Momentive if Customer is unable to obtain such information after diligent efforts. If Momentive receives a valid Third Party Request then, to the extent permitted by law, Momentive:

(a) may inform the third party issuing such request that it should pursue the request directly with Customer; and

(b) will: (i) promptly notify Customer of the Third Party Request; (ii) cooperate, at Customer’s expense, with Customer’s reasonable requests regarding Customer’s efforts to oppose a Third Party Request; and (iii) after providing Customer with an opportunity to respond to or oppose the Third Party Request, Momentive may fulfill that request if Momentive determines that it is required or permitted by law to do so.

6.4 Embargoes. Customer represents and warrants that it is not barred by any applicable laws from being supplied with the Services.  The Services may not be used in any country that is subject to an embargo by the United States or European Union applicable to the Services.  Customer will ensure that: (a) its End Users do not use the Services in violation of any export restriction or embargo by the United States; and (b) it does not provide access to the Services to persons on the U.S. Department of Commerce’s Denied Persons List or Entity List, or the U.S. Treasury Department’s list of Specially Designated Nationals.

6.5 Suspension of Services. Momentive may limit or suspend the Services to perform scheduled maintenance or to stop a violation of Section 6.2 (Acceptable Uses by Customer), to prevent material harm to Momentive or its customers or as required by applicable law.  Momentive will use reasonable endeavors to give Customer reasonable advance notice of any limitation or suspension so that Customer can plan around it or address the issue that has prompted Momentive to take such action.  There may be some situations, such as security emergencies, where it is not practicable for Momentive to give such advance notice.  Momentive will use commercially reasonable efforts to narrow the scope and duration of the limitation or suspension as is needed to resolve the issue that prompted such action.

7.1 Security. Momentive has, considering the state of the art, cost of implementation, the nature, scope, context and purposes of the Services, and the level of risk, implemented appropriate technical and organizational measures to enable a level of security appropriate to the risk of unauthorized or unlawful processing, accidental loss of and/or damage to Customer Data. At reasonable intervals, Momentive tests and evaluates the effectiveness of these technical and organizational measures for enabling the security of the processing.

7.2 Data Protection. Where Momentive is processing Personal Data for Customer, Momentive will:

(a) only do so on documented Customer instructions and in accordance with applicable law, including with regard to transfers of Personal Data to other jurisdictions or an international organization, and the parties agree that this Agreement constitutes such documented instructions of the Customer to Momentive to process Customer Data;

(b) to the extent applicable, for data transfers Momentive Europe UC relies upon the Standard Contractual Clauses and/or consent for personal data transfers to countries that do not have adequate levels of data protection as determined by the European Commission, United Kingdom or other jurisdictions which approve and require Standard Contractual Clauses;

(c) with respect to any transfers of Personal Data out of the European Economic Area (EEA), the United Kingdom or other country requiring Standard Contractual Clauses, that may be required in relation to or in connection with the Agreement and the provision of the Services hereunder, the parties shall comply with and be subject to all obligations imposed on a ‘data importer’ or 'data exporter' (as appropriate) as set out under the Standard Contractual Clauses;

(d) ensure that all Momentive personnel involved in the processing of Personal Data are subject to confidentiality obligations in respect of the Personal Data;

(e) make available information necessary for Customer to demonstrate compliance with its Article 28 obligations (if applicable to the Customer) where such information is held by Momentive and is not otherwise available to Customer through its account and user areas or on Momentive websites, provided that Customer provides Momentive with at least 14 days' written notice of such an information request;

(f) cooperate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a Data Subject afforded to Data Subjects by Data Protection Legislation in respect of Personal Data processed by Momentive in providing the Services;

(g) provide assistance, where necessary with all requests received directly from a Data Subject in respect of a Data Subject's Personal Data submitted through the Services;

(h) upon deletion, by you, not retain Customer Personal Data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes subject to our retention policies;

(i) cooperate with any supervisory authority or any replacement or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under Data Protection Legislation) in the performance of such supervisory authority's tasks where required;

(j) not store Personal Data (in a format that permits identification of relevant Data Subjects) for longer than is necessary for the purposes for which the data is processed save to the extent such retention is required for legitimate business purposes (with respect to, for example, security and billing), in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes; and

(k) where required by Data Protection Legislation, inform Customer if it comes to Momentive’s attention that any instructions received from Customer infringe the provisions of Data Protection Legislation, provided that notwithstanding the foregoing, Momentive shall have no obligation to review the lawfulness of any instruction received from the Customer.  If this provision is invoked, Momentive will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing; and

(l) assist Customer as reasonably required where Customer (i) conducts a data protection impact assessment involving the Services  (which may include by provision of documentation to allow customer to conduct their own assessment); or (ii) is required to notify a Security Incident (as defined below) to a supervisory authority or a relevant data subject.

7.3 Use of Sub-processors. Customer provides a general authorization to Momentive to engage onward sub-processors, subject to compliance with the requirements in this Section 7.  Momentive will, subject to any confidentiality provisions under this Agreement or otherwise imposed by Momentive:

(a) make available to Customer a list of the Momentive subprocessors (“Sub-processors”) who are involved in processing or sub-processing Personal Data in connection with the provision of the Services, together with a description of the nature of services provided by each Sub-processor (“Sub-processor List”). A copy of this Sub-processor List may be accessed at https://www.surveymonkey.com/mp/legal/subprocessor-list/?ut_source=legal&ut_source2=general&ut_source3=inline;

(b) ensure that all Sub-processors on the Sub-processor List are bound by contractual terms that are in all material respects no less onerous than those contained in this Agreement; and

(c) be liable for the acts and omissions of its Sub-processors to the same extent Momentive would be liable if performing the services of each of those Sub-processors directly under the terms of this Agreement.

7.4 New / Replacement Sub-processors. Momentive will provide Customer with written notice of the addition of any new Sub-processor at any time during the term of the Agreement (“New Sub-processor Notice”). Customer will sign up to a mailing list at https://smprivacy.wufoo.com/forms/zc3vu3b15nkrg1/ made available by Momentive through which such notices will be delivered by e-mail or alternatively will check on updates to the list at https://www.surveymonkey.com/mp/legal/subprocessor-list/?ut_source=legal&ut_source2=general&ut_source3=inline.  If Customer has a reasonable basis related to data protection to object to Momentive’s use of a new or replacement Sub-processor, Customer will notify Momentive promptly in writing and in any event within 30 days after receipt of a New Sub-processor Notice.  In the event of such reasonable objection, either Customer or Momentive may terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor (which may involve termination of the entire Agreement) with immediate effect by providing written notice to the other party.

7.5 Security Incident. If Momentive becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Personal Data (“Security Incident”), Momentive will  notify Customer without undue delay.  Such notification shall not be interpreted or construed as an admission of fault or liability by Momentive.  A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.  Momentive will also reasonably cooperate with Customer with respect to any investigations relating to a Security Incident with preparing any required notices, and provide any information reasonably requested by Customer in relation to any Security Incident.

7.6 Audits. Customer will provide Momentive with at least one month’s prior written notice of any audit, which may be conducted by Customer or an independent auditor appointed by Customer (provided that no person conducting the audit shall be, or shall act on behalf of, a competitor of Momentive) (“Auditor”).  The scope of an audit will be as follows:

(a) Customer will only be entitled to conduct an audit once per year unless otherwise legally compelled or required by a regulator with established authority over the Customer to perform or facilitate the performance of more than 1 audit in that same year (in which circumstances Customer and Momentive will, in advance of any such audits, agree upon a reasonable reimbursement rate for Momentive’s audit expenses).

(b) Momentive agrees, subject to any appropriate and reasonable confidentiality restrictions, to provide evidence of any certifications and compliance standards it maintains and will, on request, make available to Customer an executive summary of Momentive’s most recent annual penetration tests, which summary shall include remedial actions taken by Momentive resulting from such penetration tests.

(c) The scope of an audit will be limited to Momentive systems, processes, and documentation relevant to the processing and protection of Personal Data, and Auditors will conduct audits subject to any appropriate and reasonable confidentiality restrictions requested by Momentive.

(d) Customer will promptly notify and provide Momentive with full details regarding any perceived non-compliance or security concerns discovered during the course of an audit.

The parties agree that, except as otherwise required by order or other binding decree of a regulator with authority over the Customer, this Section 7.6 sets out the entire scope of the Customer’s audit rights as against Momentive.

7.7 Customer Privacy Obligations. Customer shall ensure and hereby warrants and represents that it is entitled to transfer the Customer Data to Momentive so that Momentive may on behalf of Customer, lawfully process and transfer the Personal Data in accordance with this Agreement.  Customer shall ensure that relevant Data Subjects have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation.

7.8 Types Data Processing.   The parties agree that the purpose and nature of the processing of Personal Data, the types of Personal Data and categories of Data Subjects are as set out in Appendix A.

8.1 Customer IP. As between the parties, the Customer retains ownership of all Intellectual Property Rights in the Customer Data. This Agreement does not grant Momentive any licenses or rights to the Customer Data except for the following:

(a) Customer grants Momentive and its affiliates a worldwide, royalty-free, non-exclusive, limited license to use, host, copy, transmit, modify, display, and distribute Customer Data only for the limited purposes of providing the Services to Customer and improving the Services subject to the use of privacy minimization techniques such as de-identification and pseudonymization where possible and appropriate.

(b) If Customer provides Momentive with feedback about the Services, Momentive may use that feedback and incorporate it into its products and services without any obligation to Customer.

8.2 Momentive IP.  As between the parties, Momentive retains ownership of the Services and all related Intellectual Property Rights.  No licenses or rights are granted to Customer by Momentive other than as expressly provided for in this Agreement.  This Agreement does not grant the Customer any right to use Momentive’s trademarks or other brand elements except as may be otherwise agreed in writing between the parties.

8.3 Publicity.  Momentive may identify Customer by name and logo as a Momentive customer on Momentive’s website and on other promotional materials.  Any goodwill arising from the use of Customer’s name and logo will inure to the benefit of Customer.

9.1 Definition. “Confidential Information” means information disclosed by a party (“Discloser”) to the other party (“Recipient”) in connection with the use or provision of the Services that is either marked as confidential or would reasonably be considered as confidential under the circumstances.  Customer’s Confidential Information includes Customer Data.  Momentive’s Confidential Information includes the terms of this Agreement and any security information about the Services.  Despite the foregoing, Confidential Information does not include information that: (a) is or becomes public through no fault of the Recipient; (b) the Recipient already lawfully knew; (c) was rightfully given to the Recipient by an unaffiliated third party without restriction on disclosure; or (d) was independently developed by the Recipient without reference to the Discloser’s Confidential Information.

9.2 Confidentiality. The Recipient will: (a) protect the Discloser’s Confidential Information using commercially reasonable efforts; (b) use the Discloser’s Confidential Information only as permitted by this Agreement, including to exercise the Recipient’s rights and fulfill the Recipient’s obligations under this Agreement; and (c) not disclose the Discloser’s Confidential Information without the Discloser’s prior consent, except to affiliates, contractors, agents, and professional advisors who need to know it and have agreed in writing (or, in the case of professional advisors, are otherwise bound) to keep it confidential on terms comparable to those under this Section.  The Recipient may disclose the Discloser’s Confidential Information when and to the extent required by law or legal process, but only after the Recipient, if permitted by law, uses reasonable efforts to notify the other party.

9.3 Return or Destruction of Confidential Information.  Upon the termination or expiration of the Agreement and all Order Forms under the Agreement, each party will promptly return to the other party or destroy all Confidential Information of the other party in its possession or control within a reasonable amount of time in accordance with the Recipient’s data destruction practices.  Despite the termination or expiration of this Agreement, Recipient’s confidentiality obligations with respect to the Confidential Information will survive for two (2) years after the date such Confidential Information was disclosed to Recipient (except with respect to any trade secrets identified by Discloser as such at the time of disclosure, where such confidentiality obligations will continue for as long as the information remains a trade secret).