Get Started View Pricing Plans
for Online Surveys

Grapevine delivers! Top-notch sales & service, exceptional tech support, a highly reliable system, all contributing to superior results each time. Thanks for the great product and to all the Grapevine staff who make the surveying process a breeze.

Sylvia Mauti Torlys

We have used the grapevine tool for employee surveys and found it to be very user friendly. We continue to be a very satisfied customer and I would highly recommend Grapevine to other companies.

Albert Saltarelli, Human Resources Manager
Priszm Brandz Inc.

By using Grapevine's employee feedback software, I was able to build and deploy the survey in less than 1 hour! Grapevine has also streamlined the cumbersome process of results consolidation into just minutes.

Patrick Kelley, HRIS
Boston Scientific

Allows us to easily contact and survey the needs of a variety of stakeholders of the health care system across North America. It is user friendly and allows rapid, effective analysis of responses that assist us in important decision making.

Sue Freshwater
Hamilton Health Sciences

Grapevine has saved us a ton of time. Grapevine allows us to not only brand the survey for our organization, but also ask the type of questions that are best for the audience we are serving.

Bill McAuliffe, Learning & Development

Grapevine lets our association vote for our Board of Directors online. The user friendly features allowed us to provide our members with convenience for voting. We also appreciate the great customer service!

Karen Olivar
Engineering & Utility Contractors Association

Grapevine Surveys is an effective, easy to use tool that has helped us better gauge internal and external customer needs and collect actionable feedback.

Beverlee Searle, Manager, Market Intelligence

We are now able to summarize and analyze our student feedback within minutes, rather than the two-weeks it was taking us before. It's an excellent tool and we recommend it without hesitation.

Michael Pearce, Program Director,
Richard IVEY School of business

Grapevines flexibility and widespread capabilities have significantly supported our efforts in "Cultural Transformation", both in traditional and non traditional applications.

Mark Wilson, SVP HR

Grapevine is an easy-to-use survey management system that enables me to implement and manage my research program effectively and keep an up-to-the-minute snapshot of my surveys.

Sharon Valencik, Director of Research
The Telecom Intelligence Group

Grapevine is a wonderful tool!

Breena Means
Ohio Public Employees Retirement System

I used Grapevine to do our quarterly surveys. We started getting results back immediately and over 50% completion within one week. The results are not only more accurate, but the users felt more comfortable giving honest feedback through this method.

Bob Schultz

Grapevine Annex


Grapevine™, owned and operated by Aylen Capital Inc., a Canadian company (the “Processsor”) provides and maintains an Internet Web site (the "Site") with related proprietary software tools and processes to create individualized surveys and polls and to obtain survey and poll results, reports and associated services (the "Services") pursuant to the Terms of Use (“the Agreement”) which have been accepted and agreed to by the Customer (as defined in the Agreement). These Services may entail the Processing of Personal Data (as defined below).

The European General Data Protection Regulation (GDPR) imposes specific obligations on Processor and Customer (as a controller) with regard to their vendor relationship. The GDPR requires companies to have contracts containing specific provisions relating to data protection.

The Agreement contains provisions requiring each party to comply with all applicable laws. This GDPR Annex documents the data protection requirements imposed upon the parties by the GDPR. This Annex is hereby incorporated by reference into the Agreement in order to demonstrate the parties’ compliance with the GDPR. Nothing in this Annex changes the scope of the Services or modifies Grapevine’s obligations under the Agreement. The terms of this Annex shall be effective as of May 25, 2018.

1. For purposes of this Annex, “GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation, together with any addition implementing legislation, rules or regulations that are issued by applicable supervisory authorities.
Words and phrases in this Annex shall, to the greatest extent possible, have the meanings given to them in Article 4 of the GDPR. In particular:

(a) “Personal Data“ has the meaning to given to it in Article 4(1) of the GDPR: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,” but only to the extent such personal data pertain residents of the European Economic Area (EEA) or are otherwise subject to the GDPR.

(b) “Personal Data Breach” has the meaning given to it in Article 4(12) of the GDPR: “[any] breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

(c) “Processing” has the meaning given to it in Article 4(2) of the GDPR: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

(d) “Subprocessor” means any processor as defined in Article 4(8) of the GDPR: “[any] natural or legal person, public authority, agency or other body which processes personal data” on behalf of the Processor (including any affiliate of the Processor).

(e) “Transfer” means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means.

2. For purposes of this Agreement, Customer and Grapevine agree that Customer is the “Controller” of the Personal Data and Grapevine is the “Processor” of such data.

3. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that Processing is performed in accordance with the GDPR. Those measures shall include the implementation of appropriate data protection policies by the Controller. The measures shall be reviewed and updated where necessary.

4. In accordance with GDPR Article 28(1), Processor represents that it has implemented appropriate technical and organizational measures in such a manner that its Processing of Personal Data will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.

5. In accordance with GDPR Article 28(2), the Processor shall not engage any Subprocessor without prior authorization of Customer.

6. In accordance with GDPR Article 28(3), the following terms are incorporated by reference into the Agreement:

(a) The Processor shall only process the Personal Data (i) as needed to provide the Services, (ii) in accordance with the specific reasonable instructions that it has received from Customer, including with regard to any Transfers, and (iii) as needed to comply with law (in which case, the Processor shall provide prior notice to Customer of such legal requirement, unless that law prohibits this disclosure);

(b) Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) Processor shall take all security measures required by GDPR Article 32, namely:

i. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;

ii. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

iii. The Processor shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by EEA Member State law.

(d) Taking into account the nature of the processing, Processor shall reasonably assist Customer (at Customer’s expense) by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights;

(e) Taking into account the nature of processing and the information available to the Processor, Processor shall comply with (and shall reasonably assist Customer to comply with) the obligations regarding Personal Data Breaches (as set forth in GDPR Articles 33 and 34), data protection impact assessments (as set forth in GDPR Article 35), and prior consultation (as set forth in GDPR Article 36);

(f) At Customer’s discretion, the Processor shall delete or return all the Personal Data to Customer (in the Processor’s standard format) after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data.

(g) The Processor shall provide Customer with all information reasonably necessary to demonstrate compliance with the obligations laid down in the GDPR, and (at Customer’s expense and subject to Processor’s reasonable procedures as described in the Agreement) allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer; and

(h) The Processor shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR other Union or Member State data protection provisions. (The parties acknowledge that Processor relies on Customer to verify that the instructions given by Customer with respect to the Processing comply with applicable laws.)

7. The Processor shall not Transfer any Personal Data (and shall not permit its Subprocessors to Transfer any Personal Data) without the prior consent of Customer. The Processor understands that Customer must approve and document that adequate protection for the Personal Data will exist after the Transfer, using contracts that provide sufficient guarantees (such as standard contractual clauses) unless another legal basis for the Transfer exists.

8. The Processor will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of the Personal Data. Processor will notify Customer without undue delay of any Personal Data Breach.

9. The Processor shall maintain all records required by Article 30(2) of the GDPR, and (to the extent they are applicable to Processor’s activities for Customer) Processor shall make them available to Customer upon request.

Modified May 25, 2018