Data Security Requirements For Providers

1. Who does this apply to?

These Hopin Data Security Requirements for Providers (this “DSR”) applies to vendors, resellers, agencies, partners, and other third parties (“Provider”) that access, process, share, or otherwise handle Hopin Information (defined below) of Hopin Ltd. or its parents, subsidiaries, or affiliated companies (“Hopin”).

Provider agrees to comply with this DSR with respect to the handling of any Hopin Information by Provider. This DSR does not limit other obligations of Provider, including under any separate agreement with Hopin (the “Agreement”), or laws that apply to Provider, Provider’s performance under the Agreement, or an express permitted use of the Hopin Information (the “Permitted Purpose”). To the extent this DSR conflicts with the Agreement, Provider will comply with the requirement that is more restrictive and protective of Hopin Information (which may be designated by Hopin). These commitments apply to Provider and its employees, contractors, agents, representatives, and other authorized users of its systems and network resources (“Personnel”). Note that Hopin may update this document from time to time.

2. Definitions

The following definitions apply to this DSR.

Aggregate means to combine or store Hopin Information with any data or information of Provider or any third party.

Hopin Information means:

A. all Hopin Confidential Information (as defined in the Agreement or in the non-disclosure agreement between the parties);

B. all Hopin Personal Data (as defined in the Agreement or the Data Processing Addendum for Providers); and

C. data derived from (a) or (b), even if Anonymized.

Confidentiality, Integrity, and Availability means the three properties of the information-security model known as the “CIA Triad.” Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity is the property that data or information have not been altered or destroyed in an unauthorized manner. Availability is the property that data or information is accessible and usable upon demand by an authorized person.

Physical, Administrative, and Technical Safeguards means the controls an organization implements to maintain information security. Physical safeguards address physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Administrative safeguards address administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic data or information and to manage the conduct of Personnel in relation to the protection of that data or information. Technical safeguards address the technology, and the policies and procedures for its use, that protect electronic data or information and control access to it.

Process means to perform any operation or set of operations on data, such as access, use, collection, receipt, storage, alteration, transmission, dissemination or otherwise making available, erasure, or destruction.

3. Permitted Purposes

Supplier will Process Hopin Information only as follows (each, a “Permitted Purpose”):

3.1 Authorized data. Supplier may Process only the Hopin Information expressly authorized under the Agreement. If there is no express authorization, the Supplier may process only the Hopin Information necessary to perform the services under the Agreement.

3.2 Sale or other transfer prohibited. Supplier will not transfer, rent, barter, trade, sell, rent, loan, lease, or otherwise distribute or make any Hopin Information available to any third party.

3.3 Data aggregation prohibited. Except as expressly authorized under the Agreement, Supplier will not Aggregate Hopin Information, even if anonymized or pseudonymized.

4. Information Security Requirements

4.1 General security requirement

Provider will maintain Physical, Administrative, and Technical safeguards consistent with industry-accepted best practices to protect the Confidentiality, Integrity, and Availability of Hopin Information. Examples of certifications that may demonstrate adherence to best practices include but are not limited to the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or other similar industry standards for information security) 

4.2 Specific safeguard requirements

In addition to following the above standards, Provider’s information security program will include, at a minimum, the following safeguards and controls:

4.2.1 Written information security program

Provider shall implement a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. The program will apply to Provider’s employees, agents, subcontractors, and vendors. Provider will maintain a process to monitor and enforce program compliance and log program violations.

4.2.2 Security awareness training

Provider will provide periodic security training to its Personnel on relevant threats and business requirements such as social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.

4.2.3 Data inventory

Provider will document and maintain information regarding how and where Hopin Information is Processed while in Provider’s possession or control.

4.2.4 Secure configurations

Provider shall manage security configurations of its systems using industry best practices to protect Hopin Information from exploitation through vulnerable services and settings.

4.2.5 Controlled use of administrative privileges

Provider shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices.

4.2.6 Vulnerability and patch management

Provider will maintain a process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Hopin Information.

4.2.7 Maintenance, monitoring, and analysis of audit logs

Provider will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect Hopin Information. Logs will be kept and maintained for at least 12 months. In a multi-tenant environment with a shared responsibility model (e.g. a SaaS), Provider shall associate all logs with a unique Hopin implementation id, and provide this information to Hopin upon request.

4.2.8  Malware defenses

Provider will deploy anti-malware software to and configure all workstations and servers on Provider’s network to control and detect the installation, spread, and execution of malicious code.

4.2.9 Firewalls

Provider will maintain and configure firewalls to protect systems containing Hopin Information from unauthorized access. Provider will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.

4.2.10 Suitable Environment

Data will be used in an environment suitable to its purpose. Production data will not be used on test equipment and test data will not be used on production equipment.

4.2.11 Change Management

Provider will maintain and implement a written Change Management Policy. Changes to production systems are tracked, recorded, and reviewed.

4.2.12 Disablement of services

Disable any unnecessary services, protocols, and ports identified by Hopin, unless otherwise agreed with Hopin. 

4.2.13 Encryption

Provider will encrypt all Hopin Information at rest and when in transit across open networks in accordance with industry best practices. Upon Hopin's written request, the Provider will confirm that all copies of encryption keys have been securely deleted.

4.2.14 Access controls

Provider will implement the following access controls with respect to Hopin Information:

A. Unique IDs. Provider will assign individual, unique IDs to all Personnel with access to Hopin Information, including accounts with administrative access. Accounts with access to Hopin Information must not be shared.

B. Need-to-know. Provider will restrict access to Hopin Information to only those Personnel with a “need-to-know” for a Permitted Purpose.

C. User access review. Provider will periodically review Personnel and services with access to Hopin Information and remove accounts that no longer require access. This review must be performed at least once every 90 days.

4.2.15 Account and password management

Provider will implement account and password management policies to protect Hopin Information, including, but not limited to:

A. No default passwords. Before deploying any new hardware, software, or other asset, Provider will change all default and manufacturer-supplied passwords to a password consistent with the password strength requirements described below.

B. Inventory of administrative accounts. Provider will maintain an inventory of all administrator accounts with access to Hopin Information.

C. Password strength. Provider will ensure that all Personnel use strong passwords by enforcing the following minimum requirements:

a. passwords must be a minimum length of 8 characters;

b. passwords may not match commonly used, expected, or compromised passwords;

c. Provider must force a password change if there is evidence the password may have been compromised;

d. Credential encryption. Encrypted passwords and other secrets shall be stored in an industry-accepted form that is resistant to offline attacks; and

e. Rate limiting. Provider shall implement an industry-accepted rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on a user’s account.

4.2.16 Remote access; multi-factor authentication required

Provider will implement multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access to any network, system, application, or other asset containing Hopin Information; or Provider’s corporate or development networks.

4.2.17 Data segregation

Except where expressly authorized by Hopin in writing, Provider will logically and/or physically isolate Hopin Information at all times from Provider’s and any third-party information.

4.2.18 Security testing

Provider will conduct periodic internal and external penetration testing of systems that Process Hopin Information to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of Provider’s vulnerability management program.

4.2.19 Personnel security and nondisclosure.

Provider must obtain enforceable individual nondisclosure agreements from its Personnel that are no less protective of Hopin as those under the Agreement and this document. If reasonably requested by Hopin, Provider will provide evidence of such individual nondisclosure agreements to Hopin to demonstrate compliance with this provision.

4.3 PCI DSS requirements (if applicable). 

If, in the course of its engagement by Hopin, Provider has access to or will Process credit, debit, or other payment cardholder information, Provider shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements (in addition to the minimum requirements in Section 4.2) and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.

4.4 Subcontracts.

Except as expressly set forth in the Agreement, Provider will not subcontract or delegate any of its obligations under this DSR to any subcontractors, affiliates, or delegates (“Subcontractors”) without Hopin’s prior written consent.

4.5 Access to Hopin Extranet and Provider portals.

Hopin may grant Provider’s Personnel access to Hopin Information via web portals or other non-public websites or extranet services on Hopin’s or a third party’s website or system (each, an “Extranet”) for the Permitted Purposes. If Hopin permits Provider to access any Hopin Information using an Extranet, Provider must comply with the following requirements:

4.5.1 Permitted Purpose.

Provider and Provider Personnel will access the Extranet and access, collect, use, view, retrieve, download or store Hopin Information from the Extranet solely for the Permitted Purpose.

4.5.2 Accounts.

Provider will only provision or permit access to the Extranet to those Personnel that have a need-to-know or as otherwise necessary to fulfill the Permitted Purpose. Provider must ensure that such Personnel use only the Extranet account(s) designated for each individual by Hopin and will require Personnel to keep their access credentials confidential and secure. Accounts are not to be shared.

4.5.3 Systems.

Provider will access the Extranet only through computing or processing systems or applications running operating systems managed by Provider and that include: (i) system network firewalls in accordance with Section 4.2.9 (firewalls); (ii) centralized patch management in compliance with Section 4.2.6 (vulnerability and patch management); (iii) operating system appropriate anti-malware software in accordance with Section 4.2.8 (malware defenses); and (iv) for portable devices, full disk encryption.

4.5.4 Restrictions.

Except if approved in advance in writing by Hopin, Provider will not download, mirror or permanently store any Hopin Information from any Extranet on any medium, including any machines, devices or servers.

4.5.5 Account Termination.

Provider will terminate the account and access to the Extranet of each of its Personnel immediately when (a) that Personnel no longer needs access to Hopin Information or (b) no longer qualifies as Personnel (e.g., the personnel leaves Provider’s employment or the Hopin engagement is complete).

5. Data Retention, Return, and Destruction

5.1 Retention.

Provider will retain Hopin Information only as necessary for the Permitted Purposes.

5.2 Return and secure deletion of Hopin Information.

At any time during the term of the Agreement at Hopin’s request, or upon the termination or expiration of the Agreement for any reason, Provider shall, within 5 business days (or 30 calendar days for data in backup or online storage), return to Hopin and securely delete all copies of Hopin Information in its possession or control. Provider shall confirm in writing that all copies of Hopin Information have been returned and securely deleted.

5.3 Archival copies.

If Provider is required by law to retain archival copies of Hopin Information for tax or similar regulatory purposes, Provider shall (i) not use the archived information for any other purpose; and (ii) remain bound by its obligations under this agreement, including, but not limited to, its obligations to protect the information using appropriate safeguards and to notify Hopin of any Security Incident involving the information.

5.4 Deletion standard.

All Hopin Information deleted by Provider will be securely deleted using an industry-accepted practice designed to prevent data from being recovered using standard disk and file recovery utilities (e.g., secure overwriting, degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, shredding, or mechanical disintegration) and in compliance with Provider’s privacy policy or retention policy. With respect to Hopin Information encrypted in compliance with this DSR, Provider may delete data by permanently and securely deleting all copies of the encryption keys.

5.5 Media destruction.

Before permanently discarding or disposing of storage media that (1) Provider has physical access to or control of (e.g., laptop hard drives, desktop hard drives, USB or “thumb” drives, backup media, hard drives used in the Provider’s own data center, or other portable storage media) and (2) contains, or has at any time contained, Hopin Confidential Information, Provider will destroy the storage media using a technique designed to render the media unusable and the data unrecoverable (e.g., disintegration, incineration, pulverizing, shredding, and melting). This section shall not apply to storage media that Provider does not have physical access to or control of, such as storage media used in a public cloud or other third-party environment. In such cases, Provider shall ensure that all Hopin Confidential Information stored in the third-party environment is securely deleted when no longer needed using an industry-accepted practice (see Section 5.4, Deletion standard).

6. Security Reviews and Audits

6.1 Vendor assessment questionnaires.

Upon Hopin’s request, Provider will complete a new Hopin risk assessment questionnaire.

6.2 Compliance with agreement.

Upon Hopin’s request, Provider will confirm in writing to Hopin Provider’s compliance with this Agreement.

6.3 Other reviews; audits.

Upon reasonable notice, Hopin may conduct an audit  no more than once a year to confirm Provider’s compliance with this Agreement. Provider grants Hopin or, at Hopin’s election, a third party on Hopin’s behalf, permission to perform an assessment, audit, examination, or review of the Physical, Administrative, and Technical Safeguards in place to protect Hopin Information Processed by Provider under the Agreement. Provider shall fully cooperate with the assessment.

6.4 Remediation.

Provider will promptly address any exceptions or deficiencies identified during Hopin’s security review or in any audit report, by developing and implementing a corrective action plan agreed to by Provider and Hopin, at Provider’s sole expense.

7. Security Incidents

7.1 A “Security Incident” is (i) any actual (or based on the circumstances is highly likely to be) compromise of the Confidentiality, Integrity, or Availability of Hopin Information or compromise of, or unauthorized access to, any system that Processes Hopin Information that presents a risk to the Confidentiality, Availability, or Integrity of Hopin Information; or (ii) receipt of a complaint, report, or other information regarding the potential compromise or exposure of Hopin Information Processed by Provider. Hopin may conduct additional audits as it deems reasonable after any Security Incident. 

7.2 Incident response plan.

Provider shall maintain a written incident response plan and provide a copy of the plan to Hopin upon request. Provider will remedy each Security Incident in a timely manner following its response plan and industry best practices.

7.3 Notice required.

Provider will notify Hopin of any Security Incident without undue delay and at latest within 48 hours of becoming aware of the Security Incident.

7.4 Cooperation with Hopin’s investigation.

Provider will reasonably cooperate with Hopin in Hopin’s handling of a Security Incident, including, without limitation: (i) coordinating with Hopin on Provider’s response plan; (ii) assisting with Hopin’s investigation of the Security Incident; (iii) facilitating interviews with Provider’s Personnel and others involved in the Security Incident or response; and (iv) making available all relevant records, logs, files, data reporting, forensic reports, investigation reports, and other materials required for Hopin to comply with applicable laws, regulations, or industry standards, or as otherwise required by Hopin. After such investigation, Provider will promptly provide a written root cause analysis report to Hopin.

7.5 Third-party notifications.

Provider shall not disclose the existence of any Security Incident to any third party without first obtaining Hopin’s prior written consent. Hopin has the sole right to determine: (i) whether notice of the Security Incident is to be provided to any customers, individuals, regulators, law enforcement agencies, or others; and (ii) the form and content of such notice.

8. Notice of Legal Process

Provider will inform Hopin within 48 hours when Hopin’s data is being sought in response to legal process or other applicable law, unless prohibited by applicable law from notifying Hopin.