Hopin Data FAQ

What is the purpose of these Data FAQs?

Hopin takes privacy issues seriously.  Therefore, we have prepared this document to assist customers, participants and other stakeholders in respect of some commonly asked privacy questions.  

For further detail regarding how we process personal data, please see our Data Processing Addendum and Privacy Policy and, for additional assistance on privacy matters, please contact the Hopin Privacy Team on [email protected] 

What are the data protection roles in respect of personal data processed via the Hopin events product?  

Broadly speaking, our customers and Hopin process two “buckets” of personal data via the Hopin events product - “Participant Data” and “Event Data”.  

The sections below describe these in more detail but, at a high level, the former is limited data relating largely to participant contact information and the latter can be more extensive data relating to the participants’ event experience.

Participant Data

“Participant Data” is any personal data relating to individuals in the creation of a Hopin account (or other means of access) to attend or engage with an event such as (a) first / last name; (b) contact details; (c) event participation information (e.g event name, time and date) etc.

Hopin and the customer act as independent controllers of Participant Data and so each party is separately responsible for compliance with applicable data protection laws, such as providing notice to or obtaining consent from participants where required.

Event Data

“Event Data” is (a) any personal data contained in materials submitted by Customer in the course of creating or during an event (e.g. speaker bios); and (b) personal data embedded in Customer event-related content (e.g. event recordings, participant chat transcripts). 

The customer is the controller of Event Data and Hopin only ever acts as a processor of this data.  As the controller and where required by law, the customer will be responsible for compliance with applicable data protection laws, such as providing notice to or obtaining consent from individuals where required.  

What are the data protection roles in respect of personal data processed via StreamYard?

StreamYard can be used as a stand-alone product or in conjunction with Hopin events.  In either scenario, the customer is the controller of personal data contained in live/recorded video streams, and Hopin acts solely as a processor of such data.  To the extent Participant Data is collected, the parties act as independent controllers.  

What technical and organizational security measures have been implemented by Hopin to protect personal data?

We are committed to protecting the confidentiality, integrity and availability of our information systems and our customers’ personal data.  We are constantly improving our security controls and analyzing their effectiveness to give customers confidence in our products.  Our security standards are available at https://hopin.com/legal/security and incorporated into the Global Platform Terms and the Data Processing Addendum.  Highlights of our technical and organizational measures in place for both Hopin events and StreamYard include:

• Information Security Program – We have a dedicated security team across the globe to respond to security alerts and events, and a program that accounts for and includes third-party penetration tests, threat detection, vulnerability scanning, DDoS mitigation, and access controls.
• Encryption in-transit - Communication is encrypted with TLS 1.2 or higher over public networks.
• Encryption at-rest – Data is encrypted at rest with industry standard AES-256 encryption.  
• Availability and Continuity - Services are deployed to multiple zones and scale dynamically in response to measured and expected load.
• Employee background checks - All employees undergo a background check prior to employment which covers 5 years criminal history, where permitted by applicable law, and 5 years employment verification.
• NDAs and Confidentiality Agreements - All employees are required to sign Non-Disclosure and Confidentiality agreements.
• Vendor Management - We evaluate and perform due diligence on all our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them.  Selected vendors are then monitored and reassessed on an ongoing basis.

Since the same security standards apply to all Customers using the Hopin Events and StreamYard services, we do not accept Customer security terms and cannot modify our security terms on a per-customer basis.

Where is personal data stored when using Hopin events?  Can I choose to store it in a specific location?  

Hopin events is cloud-based and hosted by Amazon AWS.  By default, Event Data is stored in the US (us-east-1 – Ashburn, Virginia) and Participant Data is stored in the EU (eu-west-1 region - Dublin, Ireland).

If you are a Hopin events business and enterprise customer, you can choose at the outset of your engagement to store both Event Data and Participant Data (therefore, all of the personal data) in the EU.  Just notify your Hopin relationship manager to ensure the desired settings are applied to your account.

Please also see the section “What about international transfers?” below.

What about personal data from my CRM and the use of integration providers?

Hopin events offers several third-party integrations that you may implement to enhance your event or ensure seamless communication with your organization’s CRM tools, such as Salesforce, Marketo, HubSpot, and many others.  A current list of Hopin Events integration providers is available here.  If you choose to use one or more of these third-party integrations, the respective integration provider’s use and processing of personal data is controlled by the integration provider’s terms and conditions and/or your agreement with them.  

We do not control and are not responsible for the data practices of these third-party integration providers, and you should carefully evaluate these service providers as you would any third party.  We also cannot ensure that these providers will store your data in the EU or other specific location.  Therefore, if this is important to you, you should liaise with these providers directly.    

Where is personal data stored when using StreamYard?

StreamYard offers cloud-based live streaming and recording and is hosted by Google Cloud in the US.  Please also see the section “What about international transfers?” below.  

Who are the sub-processors for Hopin events? 

While we are able to offer storage for Hopin events wholly within the EU, we (like almost all SaaS providers) rely on certain credible and trusted sub-processors located outside of the UK/EU, primarily in the US, to provide our services.  A list of sub-processors for Hopin events is available here.  Please also see the section “What about international transfers?” below.

Who are the sub-processors for StreamYard?

A list of sub-processors for StreamYard is available here.  

What about international transfers? 

Like the overwhelming majority of SaaS providers, our services may involve EU to UK transfers, UK to EU transfers and EU/UK to US transfers.  We have taken various steps to ensure compliance in respect of these transfers. 

EU to UK transfers - the European Commission has determined that the UK’s data protection laws are “adequate” so that transfers of personal data can take place without further compliance measures.  

UK to EU transfers - the UK authorities have determined that the EU’s data protection laws are “adequate” so that transfers of personal data can take place without further compliance measures.  

EU/UK to US transfers - we have completed the following: 

• entering into the appropriate Standard Contractual Clauses via our agreements with customers, service providers and affiliates; 
• conclusion of an internal Transfer Impact Assessment for EU/UK to US transfers;
• implementation of “supplementary measures” in the form of, for example, access controls; and
• ongoing review of necessary compliance requirements in this area.      

Can Hopin sign a customer’s own Data Processing Addendum (“DPA”)?

Unfortunately, the answer is no. Our DPA, which complies with EU GDPR, UK GDPR, and the CCPA is specific to our data handling constructs, services, and privacy practices.  A customer DPA does not contain those specificities. This approach is in keeping with almost all SaaS providers.

Moreover, if you are purchasing both Hopin events and StreamYard, our DPA and commercial paper accommodates your purchase of both services.

You can review our DPA online by visiting https://hopin.com/legal/dpa. When you purchase a subscription with us, the DPA is automatically incorporated by reference into the Global Platform Terms and deemed signed by both parties.

How does Hopin handle data subject requests?

In respect of Event Data, the customer is responsible for any data subject requests and we inform any requestors to contact the customers directly. Hopin, as a processor and where required by law, will act on the customer’s instructions to provide assistance. Note, however, that Hopin is unable to remove or obscure personal data like faces, voices and chats from Event Data because they are embedded. 

In respect of Participant Data, we inform requestors that they can access this data via their account, delete their account, unsubscribe from any marketing to which they’ve explicitly opted in, and ask for our assistance in respect of the same and any other rights. 

These Data FAQs are subject to change at any time without notice, and are provided as a courtesy. They do not constitute legal advice and do not impose obligations on either Hopin or any customer or user of the Hopin suite of products.  Any translations of this document to languages other than English are provided for convenience only.