These Data FAQs are subject to change at any time without notice, and are provided as a courtesy. They do not constitute legal advice and do not impose obligations on either Hopin or any customer or user of the Hopin suite.
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of personal data.
When using Hopin Events, you the Customer, are the controller of Event Content. “Event Content” includes materials submitted in the course of creating an event, as well as any personal data embedded in your event related contents, such as recordings of events, materials you stream during the event, attendee chat transcripts, and other information and materials submitted to or during an event
Given that your Event Content may also embed the personal data of your speakers and attendees, you will be solely responsible for securing consent, contractual agreement, or establishing a lawful basis for processing that embedded personal data. You are also responsible for data subject requests relating to Event Content. We, as your processor, will act on your instructions for handling your data subject requests to help remove or anonymize the personal data of the data subject. Note, however, that we are unable to remove or obscure faces and voices from your Event Content because they are embedded in your recording.
Both we, and you, as our customer, are each independent controllers of Participant Data. “Participant Data” includes information provided by end users when they create a Hopin account and when they attend an event on Hopin Events, including (a) image; (b) email address; (c) first and last name; (d) alias; (e) event participation information (like event name and date and time of event); and (f) any additional information provided independently by individuals in connection with customer events on the Hopin platform.
For example, when an attendee creates a Hopin account to attend an Event on our platform, they provide their full name and email address. Hopin is an independent controller of this data.
When you provide (e.g. upload or push from your CLM) a list of names and emails of potential attendees for a Hopin event, you are the controller of that list. Hopin only becomes an independent controller when a user creates a Hopin account to attend the event.
When acting as independent controllers, each of us is separately responsible for compliance with all applicable laws, including data protection laws, such as providing notice or transparency or obtaining consent where required.
StreamYard Studio can be used independently as a stand-alone product or in conjunction with Hopin Events. In either scenario, you are the sole owner and controller of all materials included in your video streams, and we act purely as a processor.
We are committed to protecting the confidentiality, integrity and availability of our information systems and our customers’ personal data. We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution. Our security standards are available at https://hopin.com/security and incorporated into the Advanced Platform Terms. A highlight of some of our technical and organizational measures in place for both Hopin Events and StreamYard Studio include:
Because the same security standards apply to all Customers using the Hopin Events and StreamYard Studio services, we do not accept Customer security terms and cannot modify our security terms on a per-customer basis.
Hopin Events is cloud-based and hosted by Amazon AWS.
By default, recordings of Event Content are stored in the US (us-east-1 – Ashburn, Virginia) and Participant Data is stored in the EU (eu-west-1 region - Dublin, Ireland).
However, if you are a Hopin Events business and enterprise customer, you can choose to store both Event Content and Participant Data (e.g. all of your data) in the EU. Just notify your Hopin relationship manager to ensure the desired settings are applied to your account.
Hopin Events offers several third-party integrations that you may implement to enhance your event or ensure seamless communication with your organization’s CRM tools, such as Salesforce, Marketo, HubSpot, Interprefy, and many others. A current list of Hopin Events integration providers is available here. If you choose to use one or more of these third-party integrations, the respective integration provider’s use and processing of personal data is controlled by the integration provider’s terms and conditions and/or your agreement with them. We do notcontrol and are not responsible for the data practices of these third-party integration providers, and you should carefully evaluate these service providers as you would any third party. We also cannot ensure that these providers will store your data in the EU or other specific location. Therefore, if this is important to you, you should ask these providers directly where they store your data before implementing their integration.
StreamYard Studio offers cloud-based live streaming and recording and is hosted by Google Cloud in the US.
While Hopin Events is able to offer storage wholly within the EU, it (like most other companies throughout the world) relies on certain sub-processors located outside of the UK/EU, primarily in the US. A list of sub-processors for Hopin Events is available here. When data is transferred from the UK/EU, we undertake to ensure that such transfers comply with applicable data protection law, including through the use of appropriate Standard Contractual Clauses. Please see also Section “What about Brexit?” below. Additionally, we have implemented a number of measures aimed to ensure an adequate level of protection for EU customer data, such as encryption in transit, encryption at rest, and access controls.
It is ultimately for our customers to determine how risky this is, but to summarize some helpful commentary from a U.S. Department of Commerce White Paper on this subject:
A list of sub-processors for StreamYard Studio is available here.
The UK’s data protection system, now known as the UK GDPR, continues to be based on the same rules that were applicable when the UK was a member state of the EU. The UK has fully incorporated the principles, rights, and obligations of the GDPR into its post-Brexit legal system.
On 28 June 2021, the European Commission (“EC”) determined that the UK’s data protection laws are “adequate” so that transfers of personal data from the EU to the UK are not restricted.
For the opposite direction of transfer, from the UK to the EU, there has been no practical change from before Brexit. The UK has issued guidance that UK companies like Hopin can continue to send personal data to EU countries which are still deemed adequate.
With regard to transfers from the EU to “non-adequate” third countries, the EC published a new set of SCCs for cross-border data transfers. The legacy SCCs continued to remain in effect for new data transfers (i.e., new contracts) during a three-month transition period that ended on 27 September 2021. Existing transfers (i.e., pre-existing contracts) may continue to rely on the legacy SCCs until 27 December 2022.
As for transfers from the UK to “non-adequate” third countries, the ICO currently is assessing how to address cross-border data transfers going forward under the UK version of the GDPR and in conjunction with the EU SCCs.
Links to relevant Modules of the new SCCs have been incorporated by reference into our DPA.
Unfortunately, no. Our data processing agreement (“DPA”), which complies with GDPR, UK GDPR, and the CCPA is specific to our data handling constructs, services, and privacy practices. Other DPAs rarely contemplate the data handling constructs discussed above. Moreover, if you are purchasing both Hopin Events and StreamYard Studio, our DPA and commercial paper accommodates your purchase of both services in one DPA.
You can review our DPA online by visiting https://hopin.com/dpa. When you purchase a subscription with us, the DPA is automatically incorporated by reference into the Platform Terms and deemed signed by both parties.
No. This is a common misconception. If your company is not currently subject to GDPR, simply using Hopin Events does not make you subject to GDPR. The European Data Protection Board (“EDPB”) released guidelines to clarify this to overcome the obviously undesirable effect of discouraging non-EU companies from doing business with EU companies, “[a] ‘non-EU’ controller […] will not become subject to the GDPR simply because it chooses to use a processor in the Union.”
Your company may be subject to GDPR for other reasons (you target EU users, you have an established presence in the EU) so please consult your legal counsel.
Read the EDPB’s full guidance on the territorial scope of the GDPR here. Specifically see Page 12.
For data that is in our possession or control, and not yours, send an email to us at [email protected] with “Customer Data Subject Request” in the subject line. Please include your company name, the data subject’s email address, and specific instructions on how to handle the request with respect to data over which we are a processor.
In order to investigate your trademark complaint, please provide all of the information listed below and press submit
Use the form below to identify content that you would like removed based on alleged infringement of your copyright(s)