Resona Pulse & Studio – Terms of Service and Data Processing Agreement
Last Updated: December 11, 2025
1. Introduction
Welcome to Resona's Pulse & Studio platform (the "Platform"), a Software-as-a-Service solution for conducting AI-assisted voice interviews and related analytics. These Terms of Service (the "Terms") govern the use of the Platform by you (the "Client") and outline the legal responsibilities of both the Client and Resona ("Resona", "we" or "us") with respect to personal data, in compliance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws. By using or accessing the Platform, the Client agrees to be bound by these Terms. These Terms include a Data Processing Agreement (DPA) that defines how Resona, as a data processor, handles personal data on behalf of the Client (who acts as the data controller). We have structured this document with clear sections to ensure it is accessible and transparent for our EU-based users and clients.
PLEASE READ THESE TERMS CAREFULLY – They explain the respective obligations of the Client and Resona regarding data protection, privacy, and security. If you do not agree with any part of these Terms, you should not use the Platform.
2. Definitions
For the purposes of these Terms:
"Client" (or "Controller") refers to the entity or person who has subscribed to or is using the Platform and determines the purposes and means of the processing of personal data through the Platform. In GDPR terms, the Client is the Data Controller for any personal data they collect from respondents via the Platform.
"Resona" (or "Processor") refers to Resona, the provider of the Platform. Resona acts as a Data Processor, processing personal data on behalf of the Client.
"Platform" (also referred to as "Pulse & Studio") refers to Resona's SaaS application, including the Pulse (survey/interview component) and Studio (analysis/dashboard component), through which Clients design and distribute AI-led interviews and collect responses.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed through the Platform – for example, a respondent's name, contact information, voice recording, interview responses, or other information the Client chooses to collect.
"Processing", "Data Controller", "Data Processor", "Data Subject", and "Subprocessor" shall have the meanings given to them in the GDPR. In particular, "Subprocessor" means any third-party service provider engaged by Resona that processes Personal Data on behalf of Resona in providing the Platform (this includes the third-party tools and services listed in Section 7).
"Data Protection Laws" refers to the GDPR and any applicable data protection or privacy laws relevant to the Client's or Data Subjects' jurisdiction (including national laws supplementing GDPR).
3. Roles and Scope of Data Processing
3.1 Client as Data Controller
The Client is the Data Controller for all Personal Data that the Client (or the Client's authorized users) collects, uploads, or otherwise processes using the Platform. This means the Client solely determines what data to collect, from whom to collect it (e.g., survey respondents or interviewees), and the purposes for which that data will be used. For example, the Client designs the questions, decides which individuals to involve as respondents, and decides how to use the responses. The Client is responsible for ensuring that such data collection and use comply with all applicable laws and regulations.
3.2 Resona as Data Processor
Resona, in providing the Platform, acts as a Data Processor processing Personal Data on behalf of the Client. We process the data only on the Client's instructions and for the purposes of providing the services on the Platform, as described in these Terms. Resona will host the data, transmit it, analyze it (for example, converting voice answers to text, or summarizing responses using AI, as required to enable the Client to use the Platform), and present results to the Client, without using the data for any other purposes. The Client determines the purposes and essential parameters of the processing, including the design or approval of interview questions, scripts, or interaction frameworks. During an interview, the Platform's AI may adapt interactions based on the participant's responses, solely for the purpose of enabling the Client-defined interview process. Resona does not determine the content, purpose, or means of the interviews beyond providing the technical tools and AI capabilities. We will not sell, use, or disclose Personal Data collected in your projects except as needed to provide the service and as permitted by the Client in accordance with these Terms.
3.3 Independent Data Controller Activities
In some cases, Resona may also process certain Personal Data as an independent controller, for example data you provide when signing up for a Resona account (such as your business contact information for billing or support, or cookies on our marketing website). Such data is handled under our Privacy Policy and is outside the scope of the processor obligations in this DPA. These Terms primarily address the processing of respondents Personal Data that the Client inputs or collects via the Platform, where the Client is controller and Resona is processor.
4. Client Responsibilities and Obligations (Data Controller Duties)
As the Data Controller, the Client is fully responsible for the lawfulness of the Personal Data processing that occurs through the Platform. By using the Platform, the Client agrees to the following obligations:
4.1
The Client shall ensure that it has a valid lawful basis (consent, legitimate interest, etc. as per GDPR Article 6) for processing the Personal Data of respondents via the Platform. The Client must comply with all applicable Data Protection Laws in the collection and use of Personal Data, including adherence to principles of lawfulness, fairness, transparency, purpose limitation, data minimization, and accuracy. The Client is solely responsible for determining if the Platform's features are suitable for the types of data they intend to collect and for conducting any required data protection impact assessments (DPIAs) if the nature of the processing requires it.
4.2
It is the Client's responsibility to ensure that respondents (the individuals who will interact with the Client's Pulse interviews) are properly informed about the data processing and, where required, to obtain their valid consent. Before collecting any Personal Data through the Platform, the Client must provide respondents with a clear and accessible privacy notice that meets GDPR requirements (e.g. informing them about the identity of the data controller (the Client), the purpose of the interview or survey, the types of data being collected, how it will be used, shared, and retained, etc.). If consent is the chosen lawful basis, the Client must obtain explicit, affirmative consent from respondents for the intended processing (for example, if you plan to record voice responses, you should obtain consent for that recording). The Platform provides the means to display a brief introductory screen or message to respondents, but it is the Client's duty to ensure the content of that notice is sufficient and lawful.
4.3
The Client should only use the Platform to collect Personal Data that is necessary and relevant for the stated purpose of the interview or survey. The Client shall not ask for or collect highly sensitive personal data (so-called "special categories" under GDPR, such as data about health, sexual orientation, political opinions, religious beliefs, or biometric data) unless it is strictly necessary, you have a lawful basis that specifically permits such processing (e.g. explicit consent), and you have taken appropriate measures to protect such data. The Client is solely responsible for the content of the questions and prompts it configures on the Platform and for ensuring that such content and the data solicited do not violate any laws or rights of the respondents.
4.4
The Client must not use the Platform to collect or process any information in a manner that is unlawful, discriminatory, defamatory, harmful, or otherwise violates any applicable law or anyone's rights. For example, the Client may not use the Platform to: (a) collect data from children/minors without adhering to applicable age-of-consent laws and parental consent requirements; (b) ask questions that are offensive, obscene, or that infringe on human rights or privacy rights; (c) engage in any form of harassment or unlawful profiling of respondents. Resona does not monitor the content the Client creates or the data collected, however, Resona reserves the right to review, refuse, or remove any survey/interview or question set that, in Resona's reasonable opinion, is unlawful or violates these Terms or applicable policies. If we believe the Client's use of the Platform is violating the above restrictions or any law, we may suspend or terminate that particular project and will inform the Client of such action. The Client agrees to indemnify and hold Resona harmless for any claims or damages arising from the Client's unlawful or improper use of the Platform's data-collection capabilities.
4.5
If the Client uses the Platform to send invitations or links to respondents (for example, by emailing a pulse link via the Platform or uploading a list of respondent email addresses), the Client must ensure that such communication is done lawfully. This means the Client should only contact individuals who have consented to be contacted or with whom the Client has another lawful basis to communicate. The Client must not upload or use any email address or contact data in the Platform unless the Client has the legal right to do so. The Client is solely responsible for the content of any email or message sent to respondents and for compliance with anti-spam/e-privacy laws.
4.6
The Client is responsible for maintaining the confidentiality and security of its account credentials to the Platform. The Client will ensure that any personnel or agents it authorizes to access the Platform do so only for legitimate business purposes and are bound to handle Personal Data in compliance with these Terms and applicable law. The Client should promptly revoke access for any user who is no longer authorized. The Client must immediately notify Resona of any unauthorized access or use of its account or the data therein that it becomes aware of.
4.7
The Client acknowledges that Resona does not provide legal advice and that by providing the Platform, Resona is not giving any representation or warranty that any particular use by the Client is compliant. The Client is responsible for configuring and using the Platform in a manner consistent with the Client's regulatory obligations. This includes, if required, conducting a Data Protection Impact Assessment (DPIA) before using the Platform for high-risk processing (such as large-scale surveys involving sensitive data or automated profiling of individuals) and, if necessary, consulting with the relevant supervisory authority. The Client should also ensure that appropriate records of processing activities are kept, as required by GDPR Article 30, covering the processing performed with Resona as processor.
5. Resona's Responsibilities and Data Processor Obligations
As the Data Processor, Resona is committed to meeting its obligations under GDPR Article 28 and other applicable laws. We will, in relation to any Personal Data processed on the Client's behalf in the course of providing the Platform, ensure the following:
5.1
Resona will only process Personal Data on behalf of the Client in accordance with the Client's documented instructions. These Terms (including the Client's configuration and use of the Platform) constitute the Client's initial instructions to Resona. We will process the data only for the purposes of providing the services and features of the Platform, as well as any other purposes expressly agreed to by the Client. Resona will not use, access, or process the Client's data for any independent purpose (such as marketing or product development) without the Client's authorization. If Resona believes an instruction from the Client violates GDPR or other applicable law, we will inform the Client and may refuse to execute that instruction until it is confirmed or modified.
5.2
Resona will ensure that all personnel authorized to process the Personal Data are under appropriate obligations of confidentiality. Resona will not disclose the Client's Personal Data to any third party unless (a) directed by the Client, (b) as needed to engage authorized Subprocessors (as listed in Section 7) for service delivery, or (c) as required by law (in which case, whenever legally permitted, we will inform the Client of that requirement before disclosure).
5.3
Resona will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or alteration. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, the nature of the data, and the potential risks. Section 8 (Data Security) below provides more detail on our security commitments.
5.4
Resona will assist the Client in fulfilling its obligations to respond to data subjects requests to exercise their rights, to the extent that such assistance is necessary and within Resona's reasonable control. If a data subject (respondent) submits a request directly to Resona (e.g., contacting us to ask about or delete their data), we will promptly inform the Client and, unless legally prohibited, will not respond directly to the data subject without the Client's instruction. We will, upon the Client's request, provide reasonable help by supplying relevant information or tools (such as export of data) so the Client can meet obligations for access, erasure, restriction, etc. Any assistance beyond the standard functionality of the Platform may be subject to an agreed arrangement (and if the effort is significant, a reasonable fee, as allowed by GDPR).
5.5
Resona will assist the Client in ensuring compliance with the Client's obligations under GDPR Articles 32 to 36 (security of processing, breach notifications, data protection impact assessments, and prior consultation with authorities), taking into account the nature of processing and information available to Resona.
In the event Resona becomes aware of a personal data breach affecting the Client's Personal Data, Resona will notify the Client without undue delay. (More details are provided in Section 8.) The notification will include information to assist the Client in meeting any obligations to inform supervisory authorities or data subjects of the breach, such as a description of the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach. Resona will cooperate with the Client in the investigation and remediation of any such security incident.
5.6
Resona will only engage subprocessors (third-party service providers who help us operate the Platform and who may process Personal Data) in accordance with Section 7 below. We will inform the Client of and obtain general authorization for the subprocessors we use, and we will impose on our subprocessors the same data protection obligations that we have agreed to with the Client. In other words, any subprocessor will be contractually bound to protect Personal Data to at least the standards of this DPA and GDPR. If we need to add or change a subprocessor, we will notify the Client in advance and give the Client an opportunity to object (as described in Section 7).
5.7
If any Personal Data processed by Resona as processor is transferred from the European Economic Area (EEA) or other regions with data transfer restrictions to a country outside such jurisdiction (for example, to the United States, where some of our subprocessors are located), Resona will ensure that such transfer is lawful under Chapter V of the GDPR. Section 9 (International Data Transfers).
5.8
At the Client's direction (for example, via the Platform's features or upon written request), or upon termination of the Client's subscription or account, Resona will delete or return all Personal Data processed on behalf of the Client. By default, when the Client no longer uses the service or when an individual project is completed, Resona will retain the collected Personal Data only for as long as necessary to fulfill the purposes of processing and any legal or contractual obligations. Once those purposes are achieved, the data will be deleted or anonymized in accordance with our internal retention policies (unless the Client requests the data to be returned). More details are in Section 10 below. Resona may retain certain data if required to do so by law (e.g., for compliance or dispute resolution), but will continue to protect any such retained data under these Terms.
5.9
Resona will maintain records of processing activities it carries out on behalf of the Client, as required by GDPR Article 30(2).
5.10
Resona acknowledges the Client's right as controller to verify Resona's compliance with these data protection obligations. As detailed in Section 11 (Audit Rights), Resona will submit to audits and inspections and provide the Client with any information necessary to demonstrate compliance, in a reasonable manner.
6. Data Subject Rights and Requests
Resona will assist the Client to fulfill data subject requests:
- The Platform allows Clients to retrieve data (e.g., download response transcripts or survey answers), which can be provided to the data subject for an access or portability request.
- The Client can delete the entire projects via the Platform, which will remove the Personal Data from our active systems (with the understanding that residual copies might exist in backups for a limited period, which remain protected and will be overwritten per our retention policy). This facilitates honoring erasure requests.
- If a data subject requests to restrict processing (for example, to not have their data used while a complaint is resolved), the Client can pause or archive a project and/or instruct us to isolate that individual's data.
- For objections to processing or withdrawal of consent, the Client should cease using that individual's data and can ask Resona to assist in deleting or segregating that data.
- If a data subject contacts Resona directly to exercise their rights (e.g., emailing us to ask if we have their data), we will promptly forward the request to the Client. We will not directly respond to such requests unless the Client expressly authorizes us to do so or if we are legally compelled (in which case we will notify the Client, if permitted). We understand that in most cases, respondents should be directed to the Client (the organization that invited them to the interview) for any privacy queries.
7. Subprocessors (Authorized Third-Party Service Providers)
To deliver the Platform's functionality and services, Resona uses certain trusted third-party service providers as Subprocessors.
By agreeing to these Terms, the Client provides general authorization for Resona to engage the subprocessors listed here. Resona will notify the Client of any intended changes to this list by adding a new subprocessor or replacing one) and give the Client the opportunity to object to such changes. If the Client objects on reasonable grounds to a new subprocessor, Resona will work with the Client in good faith to address the objection, which may include choosing an alternative provider or, if no resolution is possible, allowing the Client to terminate the services that involve the disputed subprocessor.
Resona remains fully liable to the Client for the performance of subprocessors obligations.
8. Data Security Measures
We protect Personal Data by limiting access to authorized staff, using secure login methods, encrypting data in transit and at rest, relying on trusted hosting providers, and applying firewalls, monitoring, and secure development practices. We back up important data, review our security measures regularly, and collect only what is necessary.
If we detect any personal data breach (as defined by GDPR – e.g., accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data) affecting Client data, we will:
- Notify the Client without undue delay. We will contact the Client via the designated contact email or phone number provided.
- The notification will include, to the extent possible at the time, all relevant details such as the nature of the breach, the data involved (categories and approximate number of data subjects and records concerned), the likely consequences, and the measures we have taken or plan to take to address the breach and mitigate its effects.
- We will cooperate with the Client's needs to communicate to authorities or data subjects. Specifically, the Client (as controller) has the responsibility to notify supervisory authorities (within 72 hours, if required by GDPR) and/or affected individuals (if the breach is likely to result in a high risk to them) – we will provide the Client with the information needed for such notifications.
9. International Data Transfers
9.1
Resona is established in the European Union (our primary infrastructure is in the EU). We prioritize storing and processing Personal Data within the EU/EEA whenever feasible. However, some of our subprocessors and tools are based outside of the EEA.
9.2
For any transfer of Personal Data from the EU/EEA to a country not deemed "adequate" by the European Commission, Resona will ensure that one of the following safeguards is in place:
- Standard Contractual Clauses (SCCs): We have entered into the latest EU Standard Contractual Clauses (pursuant to European Commission Decision 2021/914, Module 3 for processor-to-subprocessor transfers, and Module 2 for controller-to-processor where applicable) with our U.S. subprocessors that process EU personal data. These SCCs contractually oblige the recipient to provide a level of protection to the personal data equivalent to EU standards.
- Data Privacy Framework: If a subprocessor is certified under the EU-U.S. Data Privacy Framework (the successor to Privacy Shield) or other recognized transfer mechanism, we may rely on that as a lawful basis for transfer, provided it is valid under EU law.
10. Data Retention and Deletion
10.1
Resona will retain Personal Data processed on behalf of the Client only for as long as necessary to provide the Platform services to the Client, or as instructed by the Client. By default, as long as the Client's account is active and the Client has not deleted the data, we will keep the data available on the Platform.
10.2
The Client has the right to request deletion or return of its Personal Data at any time.
10.3
If the Client's subscription or contract with Resona ends, Resona will, at the Client's choice, either return all Personal Data to the Client or delete all Personal Data from our systems.
11. Audit Rights and Accountability
11.1
Resona will provide to the Client all information necessary to demonstrate compliance with our obligations under this DPA. This documentation may include security policies, summaries of audit reports or public certifications if available.
11.2
The Client or an independent auditor mandated by the Client (who is not a competitor of Resona and is bound by appropriate confidentiality) has the right to conduct an audit or inspection of Resona's operations insofar as they relate to the services provided to the Client and the Personal Data processed for the Client.
11.3
To request an audit, the Client should provide at least 30 days advance written notice to Resona, along with a detailed audit plan outlining the proposed scope, duration, and start date. This is to allow us to accommodate and schedule the audit without undue disruption to operations. We will work in good faith to adjust any details as needed. Audit must be conducted during normal business hours, with minimal interference to Resona's business and in accordance with agreed-upon safety or security procedures.
12. Liability and Indemnification
12.1
Each party shall be liable for and shall indemnify the other party for any fines, penalties, or damages (including reasonable legal fees) incurred as a result of its breach of these data protection Terms or violation of Data Protection Laws, to the extent that the party is deemed responsible for the violation.
12.2
The Client, as Controller, acknowledges that it will be responsible for any harm or liability arising from: (a) the Client's failure to obtain necessary consents or provide required notices to data subjects; (b) the Client's instructions to Resona that infringe applicable laws; or (c) the Client's misuse of the Platform in violation of these Terms or data protection laws (e.g., collecting unlawful content or failing to handle data subject requests). The Client agrees to hold Resona harmless from claims by third parties (including data subjects or regulators) that arise from the Client's aforementioned actions or omissions.
12.3
Resona, as Processor, will be liable for damages or regulatory penalties resulting from Resona's breach of its obligations under these Terms or GDPR that are specifically attributable to Resona's actions. Resona will indemnify the Client for any loss or damage to the extent caused by Resona's failure to comply with the obligations in this DPA. Notwithstanding the foregoing, Resona's total aggregate liability under this DPA, including for any indemnification obligations, shall be limited to an amount not exceeding the fees paid by the Client to Resona in the twelve (12) months immediately preceding the date on which the event giving rise to the claim occurred.
13. Miscellaneous Provisions
13.1
These Terms (including the DPA) shall be governed by and construed in accordance with the laws of Belgium, and any dispute arising from it shall be subject to the exclusive jurisdiction of the courts of Belgium, unless otherwise required by applicable data protection laws.
This Data Protection Agreement (together with any other portions of the Terms of Service and any other documents incorporated by reference) constitutes the entire agreement between Resona and the Client regarding the processing of Personal Data in connection with the Platform. It supersedes any prior agreements, understandings, or communications on this topic. In case of any conflict between this DPA and any other agreement (including any prior standard terms), the provisions of this DPA shall prevail with respect to data protection matters.
13.2
Any provision of these Terms is found to be invalid or unenforceable by a court or authority of competent jurisdiction, that provision shall be interpreted in a manner to make it valid, or if that's not possible, it shall be severed from the agreement, and the remaining provisions will remain in full effect. The parties will negotiate in good faith to replace any invalid provision with a valid one that most closely approximates the intent and economic effect of the invalid provision.
13.3
Resona may update or modify these Terms (including the DPA) from time to time, for example, to reflect changes in the applicable laws. If we make material changes, we will provide notice to the Client and the opportunity to review the changes. If the Client objects to the changes, the Client may cease using the Platform and terminate the agreement (and request deletion of data) as per Section 10. Continued use of the Platform after the effective date of an update will constitute acceptance of the modified Terms.
The Client may contact Resona with any questions or concerns about these Terms or data privacy matters. Our designated contact for privacy/GDPR issues is: privacy@resona.now.