This Provider Data Processing Addendum ("DPA") shall govern any product or services provided to Hopin, Ltd. and its Affiliates ("Hopin") by you ("you," "your," or "Provider") as a Processor or Sub-processor (as defined below) (the "Services"). You and Hopin shall each be referred to herein as a "Party" and together as "Parties". This DPA supplements, is incorporated into, and will remain in effect for the term of any agreement between the Parties, including but not limited to any Provider or vendor agreement, any referral or reseller agreement (the "Agreement"), the duration of Services, or the processing of Hopin Personal Data, whichever is later (the "Term"). Without limiting the generality of the foregoing, the subject matter, nature, and purpose of the processing under this DPA is the provision of the Services under the Agreement, and the categories of personal data and categories of data subjects are those necessary to provide the Services under the Agreement, as described more fully in the Agreement.
Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Agreement, if applicable. For the purposes of this DPA:
“Affiliate” means, regarding a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise.
“Applicable Laws” means all applicable data protection and privacy legislation in force from time to time which apply to a Party relating to the use of personal data, including the Data Protection Legislation General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); the California Consumer Privacy Act of 2018 (AB 375) (CCPA); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
“Controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organizational measures” are as defined in the Data Protection Legislation. “Personal data” includes “personal information” as defined by the CCPA.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
“Hopin Personal Data” means any and all Personal Data that is provided to Provider or otherwise collected and/or accessed by Provider on behalf of Hopin and/or its Affiliates in the course of providing the Services under the Agreement.
“Hopin Systems” means the Information System owned or controlled by Hopin or made accessible to Provider, including any non-public networks to which it is connected.
“Information System” means the systems and electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial/process controls systems and environmental control systems.
“Multi-Factor Authentication” means authentication through verification of at least two of the following: (i) knowledge factors, such as a password; (ii) possession factors, such as a token; or (iii) inherence factors, such as a biometric characteristic.
"Provider" means the individual or entity which has entered into the Agreement with Hopin.
“Provider Systems” means the Information System of Provider used in performing Provider’s obligations in the Agreement.
"SCCs" means the then current Standard Contractual Clauses for controller-to-processor available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en and, to the extent applicable, incorporated herein by reference.
"Sub-processor" means an entity engaged by a Processor who agrees to receive from the Processor Personal Data exclusively intended for the processing activities to be carried out as part of the Services.
For purposes of this DPA, Hopin may act as a Controller, or it may act as a Processor of one of its customers. Provider therefore acknowledges that it may act as a Processor of Hopin or a Sub-processor of Hopin. Where Hopin acts as a Processor, Hopin is obligated contractually and / or under Applicable Laws to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations placed on Processors in this DPA shall apply to Provider regardless of whether Provider acts as a Processor or Sub-processor.
The nature, purpose and subject matter of Provider's data processing activities performed as part of the Services are set out in the Agreement. The Personal Data that may be processed may relate to event organizers, attendees, employees, contractors and contacts and may include name, email address, billing and payment information, events booked, organized and attended and any other Personal Data that may be processed pursuant to the Agreement.
Provider warrants and undertakes to process Hopin Personal Data only for the limited and specified purposes set out in the Agreement and/or as otherwise lawfully instructed by Hopin in writing (email or otherwise), except where otherwise required by applicable law. Provider shall not Process Hopin Personal Data for Provider’s own purposes or for the benefit of anyone other than Hopin; and (ii) Provider shall not create or maintain data sets that are derived from or derivative works of Hopin Personal Data. Provider shall (and shall ensure that any sub-processor shall) maintain a record of all categories of processing carried out on Hopin’s behalf and make it available to Hopin or the data protection supervisory authority upon request.
Provider may only permit employees, agents, or any other person or entity acting on its behalf to access Hopin Personal Data if that access is in compliance with the Agreement, conducted by individuals who have a need-to-know and who have been appropriately trained and are bound by commercially reasonable and legally enforceable confidentiality, data privacy, and data security obligations that are no less protective of Hopin’s interests than those set forth in this Addendum.
Provider will immediately inform Hopin if, in its opinion, an instruction is in breach of Applicable Laws.
Where Provider processes Hopin Personal Data originating from the EEA, the UK and/or Switzerland, and Provider transfers such Hopin Personal Data to a country not deemed by the European Commission as providing adequate protection for Personal Data, Provider warrants and agrees:
a. To the SCCs, which are hereby incorporated into this DPA;
b. Provider is the “data importer” and Hopin is the “data exporter”;
c. Annex A of this DPA shall replace Annex A of the SCCs; and
d. To implement the technical and organizational security measures specified in Annex B before processing the Hopin Personal Data.
In the event of a conflict between the DPA and the SCCs, the provisions of the SCCs shall control.
Provider shall ensure that any person that it authorizes to process the Hopin Personal Data (including Provider's staff, agents and subcontractors) shall be subject to a duty of confidentiality data privacy, and data security obligations that are no less protective of Hopin’s interests than those set forth in this Addendum.
Provider shall ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Hopin Personal Data and against accidental loss or destruction of, or damage to, Hopin Personal Data, appropriate to: the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Hopin Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident or personal data breach, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it).
Provider shall not (and shall ensure that any person or entity providing services on Provider’s behalf shall not) engage another processor without prior written authorization from Hopin. Provider shall notify Hopin in advance of any Sub-processors it uses or intends to use in respect of Hopin Personal Data prior to relying on such sub-processor, and Provider shall:
Hopin may object to such appointments of sub-processors within fourteen (14) U.S. business days of receipt of notice. If Hopin objects to such changes, Hopin will give Provider the opportunity to make a change in the service or recommend a change to Provider’s configuration to avoid processing of personal data by the objected-to new sub-processor. If Provider’s proposed change is not acceptable to Hopin, Hopin may in its sole discretion terminate the Agreement without penalty.
Provider will provide all assistance reasonably required by Hopin to enable Hopin to:
a. respond to, comply with or otherwise resolve any rights request, question or complaint received by Hopin (or an Hopin customer) from:
b. comply with (and demonstrate compliance with) its obligations under Applicable Laws, including its obligations relating to the security of processing, maintaining detailed records of processing activities (including the location of data), notification of a personal data breach to the data protection supervisory authority and to the data subject, data protection impact assessments as well as prior consultation with the data protection supervisory authority.
c. In the event that any such request, question or complaint under this Section 6 is made directly to Provider, Provider shall inform Hopin providing full details of the same.
Provider acknowledges that Hopin has the right to fully monitor and audit Provider’s compliance with its duties under this DPA and Applicable Laws, including provision of audit questionnaires, provision of security policies and summaries of assessments of compliance with any industry standards (such as ISO 27001, SSAE 16 SOC II), penetration testing and vulnerability scans, and inspections at the premises of Provider where Hopin Personal Data is processed; and Provider shall provide to Customer, its authorized representatives and any such independent inspection body as Hopin may appoint, on reasonable notice: (a) access to Provider’s information processing premises and records; (b) reasonable assistance and cooperation of Provider’s relevant staff; and (c) reasonable facilities at Provider’s premises.
Provider further acknowledges that Hopin has the right to monitor Provider’s activities while Provider is in Hopin Systems. Provider shall be responsible for notifying its employees, subcontractors and agents that such monitoring activities may take place.
In the event of a Data Breach, Provider will take only the following actions (unless authorized by Hopin):
Upon termination or expiry of this DPA, Provider shall (at Hopin's election) destroy or return to Hopin all Hopin Personal Data (including all copies of Hopin Personal Data) in its possession or control (including any Hopin Personal Data subcontracted to a third party for processing), unless any applicable law requires Provider to retain Hopin Personal Data.
Provider will indemnify and defend Hopin, its clients, officers, directors, employees, agents, representatives and Affiliates (each an "Indemnified Party") from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Provider's (or its sub-processors) non-compliance with the requirements of this DPA.
Except for the changes made by this DPA, the Agreement and/or any other agreements related to the Services remain unchanged and in full force and effect.
With respect to provisions regarding processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control.
Data Processing Description
This Annex A forms part of this DPA and describes the processing that the processor will perform on behalf of the controller.
Data controller (Hopin)
Hopin and its Affiliates.
Data processor (Provider)
Vendor provides the services as set forth in the Agreement.
The duration of the processing under this DPA is until the termination of the Services in accordance with the Agreement terms or so long as Provider processes any Hopin Personal Data, whichever is longer.
Categories of data
The Hopin Personal Data transferred concern the following categories: See “Types of personal data” section in the Hopin Data Processing Agreement.
Special categories of data
The parties do not intend for any special category data to be processed under the Agreement.
Hopin Personal Data transferred to Provider under the Agreement may concern the following categories of data subjects: individuals whose personal data or personal information Hopin elects to transfer to Provider for processing for Provider to perform the Services as set forth in the Agreement.
Hopin Personal Data that Hopin elects to transfer for Provider to provide the services as set forth in the Agreement.
Technical and Organizational Security Measures
The Data Security Requirements for Providers at https://hopin.com/datasec-providers apply.