Hopin Data FAQ

These Data FAQs are subject to change at any time without notice, and are provided as a courtesy. They do not constitute legal advice and do not impose obligations on either Hopin or any customer or user of the Hopin suite.  Any translations of this document to languages other than English are provided for convenience only.

Who is the controller of the data collected in connection with events held on Hopin Events?  What about StreamYard Studio?  

Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of personal data.      

When using Hopin Events, you the Customer, are the controller of Event Content.  “Event Content” includes materials submitted in the course of creating an event, as well as any personal data embedded in your event related contents, such as recordings of events, materials you stream during the event, attendee chat transcripts, and other information and materials submitted to or during an event

Given that your Event Content may also embed the personal data of your speakers and attendees, you will be solely responsible for securing consent, contractual agreement, or establishing a lawful basis for processing that embedded personal data. You are also responsible for data subject requests relating to Event Content. We, as your processor, will act on your instructions for handling your data subject requests to help remove or anonymize the personal data of the data subject. Note, however, that we are unable to remove or obscure faces and voices from your Event Content because they are embedded in your recording.

Both we, and you, as our customer, are each independent controllers of Participant Data.  “Participant Data” includes information provided by end users when they create a Hopin account and when they attend an event on Hopin Events, including (a) image; (b) email address; (c) first and last name; (d) alias; (e) event participation information (like event name and date and time of event); and (f) any additional information provided independently by individuals in connection with customer events on the Hopin platform. 

For example, when an attendee creates a Hopin account to attend an Event on our platform, they provide their full name and email address.  Hopin is an independent controller of this data.   

When you provide (e.g. upload or push from your CLM) a list of names and emails of potential attendees for a Hopin event, you are the controller of that list. Hopin only becomes an independent controller when a user creates a Hopin account to attend the event. 

When acting as independent controllers, each of us is separately responsible for compliance with all applicable laws, including data protection laws, such as providing notice or transparency or obtaining consent where required.  

StreamYard Studio can be used independently as a stand-alone product or in conjunction with Hopin Events.  In either scenario, you are the sole owner and controller of all materials included in your video streams, and we act purely as a processor.    

What are your technical and organizational security measures? 

We are committed to protecting the confidentiality, integrity and availability of our information systems and our customers’ personal data.  We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution.  Our security standards are available at https://hopin.com/legal/security and incorporated into the Global Platform Terms.  A highlight of some of our technical and organizational measures in place for both Hopin Events and StreamYard Studio include:

• Information Security Program – We have a dedicated and passionate security team across the globe to respond to security alerts and events, and a program that accounts for and includes third-party penetration tests, threat detection, vulnerability scanning, DDoS mitigation, and access controls.
• Encryption in-transit - Communication is encrypted with TLS 1.2 or higher over public networks.
• Encryption at-rest – Data is encrypted at rest with industry standard AES-256 encryption.  
• Availability and Continuity - Services are deployed to multiple zones and scale dynamically in response to measured and expected load.
• Employee background checks - All employees undergo a background check prior to employment which covers 5 years criminal history, where permitted by applicable law, and 5 years employment verification.
• NDAs and Confidentiality Agreements - All employees are required to sign Non-Disclosure and Confidentiality agreements.
• Vendor Management - We evaluate and perform due diligence on all our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them.  Selected vendors are then monitored and reassessed on an ongoing basis.

Because the same security standards apply to all Customers using the Hopin Events and StreamYard Studio services, we do not accept Customer security terms and cannot modify our security terms on a per-customer basis.

Where is my personal data stored when I use Hopin Events?  Can I choose to store it in a specific location?  

Hopin Events is cloud-based and hosted by Amazon AWS.  

By default, recordings of Event Content are stored in the US (us-east-1 – Ashburn, Virginia) and Participant Data is stored in the EU (eu-west-1 region - Dublin, Ireland). 

However, if you are a Hopin Events business and enterprise customer, you can choose to store both Event Content and Participant Data (e.g. all of your data) in the EU.  Just notify your Hopin relationship manager to ensure the desired settings are applied to your account.  

What about my personal data from my CRM?

Hopin Events offers several third-party integrations that you may implement to enhance your event or ensure seamless communication with your organization’s CRM tools, such as Salesforce, Marketo, HubSpot, Interprefy, and many others.  A current list of Hopin Events integration providers is available here.  If you choose to use one or more of these third-party integrations, the respective integration provider’s use and processing of personal data is controlled by the integration provider’s terms and conditions and/or your agreement with them.  We do not control and are not responsible for the data practices of these third-party integration providers, and you should carefully evaluate these service providers as you would any third party.  We also cannot ensure that these providers will store your data in the EU or other specific location.  Therefore, if this is important to you, you should ask these providers directly where they store your data before implementing their integration.    

Where is my StreamYard Studio personal data stored?

StreamYard Studio offers cloud-based live streaming and recording and is hosted by Google Cloud in the US.  

Who are the sub-processors for Hopin Events? How risky are transfers to US sub-processors?  

While Hopin Events is able to offer storage wholly within the EU, it (like most other companies throughout the world) relies on certain sub-processors located outside of the UK/EU, primarily in the US.  A list of sub-processors for Hopin Events is available here.  When data is transferred from the UK/EU, we undertake to ensure that such transfers comply with applicable data protection law, including through the use of appropriate Standard Contractual Clauses (“SCC”).  Please see also Section “What about Brexit?” below.  Additionally, we have implemented a number of measures aimed to ensure an adequate level of protection for EU customer data, such as encryption in transit, encryption at rest, and access controls.        

It is ultimately for our customers to determine how risky this is, but to summarize some helpful commentary from a U.S. Department of Commerce White Paper on this subject:

• Most US companies do not handle data that is of any interest to the US intelligence agencies. Companies whose EU operations involve ordinary commercial products or services, and whose EU-US transfers of personal data involve ordinary commercial information like employee, customer, or sales records, have no reason to believe US intelligence agencies would seek to collect that data.  

Who are the sub-processors for StreamYard Studio? 

A list of sub-processors for StreamYard Studio is available here.  

What about Brexit?

The UK’s data protection system, now known as the UK GDPR, continues to be based on the same rules that were applicable when the UK was a member state of the EU.  The UK has fully incorporated the principles, rights, and obligations of the GDPR into its post-Brexit legal system.  

On 28 June 2021, the European Commission (“EC”) determined that the UK’s data protection laws are “adequate” so that transfers of personal data from the EU to the UK are not restricted.  

For the opposite direction of transfer, from the UK to the EU, there has been no practical change from before Brexit. The UK has issued guidance that UK companies like Hopin can continue to send personal data to EU countries which are still deemed adequate.  

With regard to transfers from the EU to “non-adequate” third countries, the EC published a new set of SCCs for cross-border data transfers.  The legacy SCCs continued to remain in effect for new data transfers (i.e., new contracts) during a three-month transition period that ended on 27 September 2021.  Existing transfers (i.e., pre-existing contracts) may continue to rely on the legacy SCCs until 27 December 2022.

As for transfers from the UK to “non-adequate” third countries, the ICO currently is assessing how to address cross-border data transfers going forward under the UK version of the GDPR and in conjunction with the EU SCCs.    

Links to relevant Modules of the new SCCs have been incorporated by reference into our DPA.    

Can you sign our data processing agreement instead of Hopin’s?

Unfortunately, no. Our data processing agreement (“DPA”), which complies with GDPR, UK GDPR, and the CCPA is specific to our data handling constructs, services, and privacy practices. Other DPAs rarely contemplate the data handling constructs discussed above.  Moreover, if you are purchasing both Hopin Events and StreamYard Studio, our DPA and commercial paper accommodates your purchase of both services in one DPA.

You can review our DPA online by visiting https://hopin.com/legal/dpa. When you purchase a subscription with us, the DPA is automatically incorporated by reference into the Platform Terms and deemed signed by both parties.

‍We are a US based company. If you store our US user data in Ireland, does that automatically make us subject to GDPR?

No. This is a common misconception. If your company is not currently subject to GDPR, simply using Hopin Events does not make you subject to GDPR. The European Data Protection Board (“EDPB”) released guidelines to clarify this to overcome the obviously undesirable effect of discouraging non-EU companies from doing business with EU companies, “[a] ‘non-EU’ controller […] will not become subject to the GDPR simply because it chooses to use a processor in the Union.” 

Your company may be subject to GDPR for other reasons (you target EU users, you have an established presence in the EU) so please consult your legal counsel.

Read the EDPB’s full guidance on the territorial scope of the GDPR here.  Specifically see Page 12. 

Question: How do you handle our Customer’s data subject requests?

For data that is in our possession or control, and not yours, send an email to us at [email protected] with “Customer Data Subject Request” in the subject line. Please include your company name, the data subject’s email address, and specific instructions on how to handle the request with respect to data over which we are a processor.