If we would sign a DPA covering the same personal data that we depend on to provide our services, we would instead be considered a “processor” in relation to such data and depend on your instructions when we provide our services. That situation may prevent us from providing the service you pay us to do and we believe that this is neither required according to GDPR nor appropriate. How we structure our services must be entirely under our control, and, as a consequence, our responsibility.
An example: if you as an organization purchase a subscription with several licenses and invite colleagues to register for a Mentimeter account using their email addresses, we are dependent on our right to use these addresses in order to comply with the obligations described in our online terms. This could be related to us being able to, for example, provide appropriate security measures or being able to communicate with our users to provide help or give information if there is a difficult situation.
If you are a controller in relation to the same personal data that we need to process to provide our services, there is simply a transfer of personal data between two independent controllers processing the same personal data for different and independent purposes. To give some comfort in this situation, we do have data processing agreements as well as sufficient safeguards for data transfers between EU and non-EU countries in place with all our processors (such as the Standard Contractual Clauses (SCC) adopted by the European Commission).