ENTERED INTO BETWEEN:
Hopin Limited, incorporated and registered in England and Wales with company number 12035150 whose registered office is at 5 Bonhill St, Shoreditch, London, EC2A 4BX (“Hopin”).
The Customer identified in the applicable Hopin purchase order.
Each a “party,” together the “parties.”
The parties have entered into an agreement for Hopin to provide certain event services (the “Services”) to the Customer (the “Main Agreement”). This data processing agreement (the “DPA”) sets forth the terms on which the parties will collect and process personal data in connection with the Service, and is hereby incorporated into the Main Agreement by reference.
APPLICATION OF THIS DPA
Events held on Hopin’s platform and associated technology (“Platform”) can be attended by individuals from around the world. Hopin’s processing of personal data is subject to privacy laws in England and the European Union irrespective of Customer’s location, and depending on where Customer and attendees of an Event are located, various different jurisdictions’ privacy laws may also apply.
This DPA will always apply to the processing of personal data under the Main Agreement. Section 7 will only apply to the extent that a Restricted Transfer takes place.
DESCRIPTION OF DATA PROCESSING
This section describes the subject-matter, nature and purpose, duration of the processing, the type(s) of personal data being processed, and the categories of data subjects that may be processed depending on the nature of the Services and role of each of Hopin and Customer:
Data Processing Details
Processing of data related to the Services as described in the Main Agreement
Nature and purpose
Processing data for the purpose of managing access to Hopin’s platform by Customer and end users
For Customer Participant Data and Event Content: Term of the Main Agreement
Types of personal data
- “Customer Info” is the contact information of Customer’s employees, contractors, agents, representatives, and authorized personnel, for the administration of the Main Agreement.
- “Participant Data” such as (a) image; (b) contact details and address; (c) first and last name; (d) alias; (e) event participation and registration data; and (f) additional information provided independently by individuals in connection with Customer’s events.
- Personal data embedded in Customer event related content (“Event Content”).
Categories of Data Subject
- Customer employees for the administration of the Main Agreement
- individuals in Event Content
“Applicable Laws” means the law of the European Union (for so long as and to the extent that they apply to the Data Processor), the law of any member state of the European Union and/or the UK Data Protection Legislation and any other law that applies in the UK; and the California Consumer Privacy Act of 2018 (AB 375) (“CCPA”).
“Business” is as defined in the CCPA.
“controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organisational measures” are as defined in the Data Protection Legislation. “personal data” includes “personal information” as defined by the CCPA.
“C-to-C Transfer Clauses” means Standard Contractual Clauses for controller-to-controller Restricted Transfers available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32004D0915&from=EN and, to the extent applicable, incorporated herein by reference.
“C-to-P Transfer Clauses” means the Standard Contractual Clauses for controller-to-processor Restricted Transfers available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en and, to the extent applicable, incorporated herein by reference.
“Data Protection Legislation” means the UK Data Protection Legislation and any other legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and including the CCPA; and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
“Restricted Transfer” means a transfer of personal data under this DPA from the European Union, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Applicable Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Law.
“UK Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
1. Applicability of DPA and scope of data processing activities
1.1. Customer and Hopin each act as an independent Data Controller of Customer Info and Participant Data. Each party represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such personal data and, as applicable, it has the right to share such personal data with the other party. Sections 6 to 8 of this DPA apply. All other terms of this DPA apply regardless of the role of the parties except where expressly stated.
1.2. In all circumstances, Customer is the Data Controller of Event Content and Hopin is the Data Processor.
1.3. All data for which Hopin acts as a Data Processor shall be referred to herein as “Customer Personal Data” and Sections 2 through 5 shall apply to the processing of such data.
1.4. All other provisions of this DPA apply regardless of the role of the parties except where expressly stated.
Hopin As Data Processor:
2. Compliance with Data Protection Legislation
2.1. Data Processor may, at any time on not less than 30 days’ notice, revise this DPA by replacing it with any applicable controller to processor standard clauses or similar terms approved by the relevant supervisory authority forming part of an applicable certification scheme to which the Data Processor is subject.
2.2. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Section 2.2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
3. Data Controller’s Responsibilities
3.1. Without prejudice to the generality of Section 2.2, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Data Processor and/or lawful collection or processing of the Customer Personal Data by the Data Processor on behalf of the Data Controller for the duration and purposes of this DPA. Data Controller will not instruct Data Processor to process any personal data, including Customer Personal Data, in violation of Data Protection Legislation.
4. Data Processor’s Responsibilities
4.1. Without prejudice to the generality of Section 2.2, the Data Processor shall, in relation to any personal data processed in connection with the performance by the Data Processor of its obligations under this DPA:
4.2. process that Customer Personal Data only on the documented written instructions of the Data Controller, which include this DPA and the Main Agreement, unless the Data Processor is required by Applicable Laws to otherwise process that personal data. Without limiting the foregoing, Where the Data Processor is relying on Applicable Laws as the basis for processing Customer Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller;
4.3. ensure that it has in place appropriate technical and organisational measures provided in https://hopin.com/security (the “Security Measures”), to protect against unauthorised or unlawful processing of Event Content and against accidental loss or destruction of, or damage to, Event Content, appropriate to: the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
4.4. ensure that all personnel who have access to and/or process Customer Personal Data are obliged to keep the Customer Personal Data confidential;
4.5. not transfer any Customer Personal Data outside of the European Economic Area and the United Kingdom unless either: the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU) 2016/679), that the third country (or sector thereof), territory, or international organisation to which personal data is to be transferred, ensures an adequate level of protection; or pursuant to an transfer mechanism that is compliant with Data Protection Legislation, which may include but is not limited to approved Standard Contractual Clauses;
4.6. assist the Data Controller, at the Data Controller’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
4.7. notify the Data Controller without undue delay, and where practicable, within 48 hours, on becoming aware of a personal data breach of Customer Personal Data;
4.8. at the written direction of the Data Controller, delete or return Customer Personal Data and copies thereof to the Data Controller on termination of the DPA unless required by Applicable Law to store the Customer Personal Data;
4.9. maintain complete and accurate records and information to demonstrate its compliance with this Section 4 and allow for audits by the Data Controller or the Data Controller’s designated auditor, only so far as is necessary in order to demonstrate compliance, provided that the Data Controller: provides the Data Processor with no less than 30 days’ notice of such audit or inspection; and the parties agree the scope, duration, and purpose of such audit or inspection in advance. Data Controller shall conduct its audit in a manner that will result in minimal disruption to Data Processor’s business operations and shall not be entitled to receive data or information of other clients of Data Processor or any other confidential information of Data Processor that is not directly relevant for the authorized purposes of the audit. If the Data Controller becomes privy to any confidential information of the Data Processor as a result of this Section 4.9, the Data Controller shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Data Controller acknowledges that the Data Processor shall only be required to use reasonable endeavours to assist the Data Controller in procuring access to any third party assets, records or information as part of any audit; and
4.10. inform the Data Controller immediately if, in the Data Processor’s opinion, an instruction from the Data Controller infringes (or, if acted upon, might cause an infringement of) the Data Protection Legislation.
5. Third party processors
5.1. The Data Controller acknowledges and consents generally to the appointment by the Data Processor of third parties as sub-processors of the Customer Personal Data being processed under this DPA.
5.2. The Data Processor confirms that: (a) it shall impose on all sub-processors the same data protection obligations as set out in Section 1 and 4; and (b) the Data Processor shall remain fully liable for the actions of its sub-processors at all times.
5.3. The Data Processor shall give the Data Controller notice of the appointment of any new sub-processors. Data Controller may reasonably object to such appointment within ten (10) U.S. business days of such notice. If Data Controller objects to such changes, Data Controller will give Data Processor the opportunity to make a change in the service or recommend a commercially reasonable change to Data Controller’s configuration to avoid processing of personal data by the objected-to new subprocessor without unreasonably burdening Customer.
6. Customer and Hopin as Independent Controllers
6.1. Each party is a solely responsible for compliance with Applicable Laws, including Data Protection Legislation, with respect to its own processing of personal data in connection with the Services, including:
6.2. Any legal requirement to provide notice or transparency to data subjects regarding or to obtain an individual’s consent for its own processing of the personal data.
6.3. Any legal requirement applicable to its own transfer of personal data to the other party.
6.4. Each party shall provide reasonable assistance to and cooperation with the other party for their consultation with supervisory authorities in relation to the transfer, control, and processing of personal data involved in this DPA.
6.5. Each party shall be responsible for responding to and, if required, complying with, any data subject requests to exercise rights under Data Protection Legislation with respect to personal data, or a request purporting to exercise such rights, or a complaint related to the processing of such data. Notwithstanding the foregoing, as applicable the Parties will reasonably cooperate to address the situation promptly and in compliance with Data Protection Legislation.
7. Restricted Transfers
7.1. For Restricted Transfers, the parties agree to be bound by the applicable standard contractual clauses (“SCCs”) to the extent that either party processes personal data of data subjects located in the United Kingdom or European Economic Area. In case of conflict between the SCCs and this DPA, the SCCs will prevail. The SCCs shall not apply with respect to personal data that either party processes in a country that the European Commission has decided provides adequate protection for personal data. By entering into this DPA, the parties are deemed to have executed the applicable SCCs and its corresponding appendices.
7.2. When Hopin and Customer act as independent controllers and Customer engages in a Restricted Transfer to Hopin, the C to C Transfer Clauses will be deemed completed as follows:
7.2.1. The “exporter” is the Customer and Customer’s contact information is set forth in the Main Agreement.
7.2.2. The “importer” is Hopin, and Hopin’s contact information is set forth below.
7.2.3. For the purpose of Annex B to the C to C Transfer Clauses (i) the data subjects are those end users whose personal data Customer provides to Hopin in accordance the Main Agreement; (ii) the purpose of the transfer is to permit provision of the Services in accordance with the Main Agreement; (iii) the categories of personal data are: Customer Info and Participant Data; (iv) the recipients of the personal data are Hopin and as set forth in the Main Agreement; (v) it is not anticipated that sensitive data will be transferred; (vi) there is no applicable data registration information; (vii) there is no additional useful information; and (viii) the contact points for data protection inquiries are as set forth in the Main Agreement. For the purposes of clause II(h) of the C to C Transfer Clauses, Hopin hereby selects option (iii) and agrees to be governed by and comply with the data processing principles set out in Annex A to the C to C Transfer Clauses. To the extent the terms of the C to C Transfer Clauses conflict with other terms of your Main Agreement, the terms of the C to C Transfer Clauses will control.
7.3. When Hopin and Customer act as independent controllers and Hopin engages in a Restricted Transfer to Customer, the C to C Transfer Clauses will be deemed completed as follows:
7.3.1. The “exporter” is the Hopin, and the Hopin’s contact information is set forth below.
7.3.2. The “importer” is Customer, and Customer’s contact information is set forth in the Main Agreement.
7.3.3. For the purpose of Annex B to the C to C Transfer Clauses (i) the data subjects are those end users whose personal data Hopin provides to Customer in accordance the Main Agreements; (ii) the purpose of the transfer is to permit provision of the Services in accordance with the Main Agreement; (iii) the category of personal data is Customer Info and Participant Data; (iv) the recipients of the personal data are Customer and as set forth in the Main Agreement; (v) all categories of sensitive data may be transferred; (vi) there is no applicable data registration information; (vii) there is no additional useful information; and (viii) the contact points for data protection inquiries are as set forth in the Main Agreement. For the purposes of clause II(h) of the C to C Transfer Clauses, Customer hereby selects option (iii) and agrees to be governed by and comply with the data processing principles set out in Annex A to the C to C Transfer Clauses. To the extent the terms of the C to C Transfer Clauses conflict with other terms of the Main Agreement, the terms of the C to C Transfer Clauses will control.
7.4. When Hopin is acting as a data processor to Customer and Customer engages in a Restricted Transfer to Hopin, the C to P Transfer Clauses will be deemed completed as follows:
7.4.1. The “exporter” is the Customer, and the exporter’s contact information is set forth in the Main Agreement.
7.4.2. The “importer” is Hopin, and Hopin’s contact information is set forth below.
7.4.3. For the purpose of Appendix 1 to the C to P Transfer Clauses: (i) data subjects are (a) Customer employees; (b) Customer end users; and (c) individuals in Event Content; (ii) the categories of Customer Personal Data are not restricted by the Services but may include (a) Customer Employee Contact Information; (b) Participant Data; and (c) Event Content; (iii) special categories of data (if appropriate) are not anticipated but would include information provided by Customer in its content or Customer End Users in the Services; (iv) processing operations include Hopin’s provision of the Services to Customer as further described in the Main Agreement. The processing takes place from the commencement of the Main Agreement until deletion of Customer Personal Data by Hopin in accordance with the DPA.
7.5. For the purpose of Appendix 2 to the C to P Transfer Clauses: Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c), can be found at https://hopin.com/security.
8.1. This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity. This DPA will remain in full force and effect so long as: (a) the Main Agreement remains in effect; or (b) Hopin retains any personal data related to the Main Agreement in its possession or control.
8.2. This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
8.3. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.