ENTERED INTO BY:
Hopin Limited, incorporated and registered in England and Wales with company number 12035150 whose registered office is at 5 Bonhill St., Shoreditch, London, EC2A 4BX (“Hopin”); and
“Provider” the entity identified in the signature block of the Main Agreement (defined below).
Each a “party,” together the “parties.”
The parties have entered into an agreement for Provider to provide certain services (the “Services”) to Hopin (the “Main Agreement”). This data processing agreement (the “DPA”) sets forth the terms on which the parties will collect and process Personal Data in connection with the Services, and is hereby incorporated into the Main Agreement by reference.
APPLICATION OF THIS DPA
Events held on Hopin’s platform and associated technology (“Platform”) can be attended by individuals from around the world. The Provider provides Services to Hopin in connection with the Platform. This DPA will apply to the processing of Personal Data under the Main Agreement.
DESCRIPTION OF DATA PROCESSING
The section below set out the subject-matter, nature and purpose, duration of the processing, the type(s) of Personal Data being processed, and the categories of data subjects that may be processed under this DPA.
DATA PROCESSING DETAILS
Processing of data related to the Services.
Nature and purpose
Processing data for the purpose of managing access to the Platform by Hopin’s customer and end users, also for the purpose of the Provider supplying the Services to Hopin.
Term of the Main Agreement or for as long as Provider is permitted or required to retain the Personal Data.
Types of Personal Data
May include name, email address, billing and payment information, events booked, organized and attended, content generated through the attendance of events, and any other Personal Data that may be processed pursuant to the supply of the Services under the Main Agreement.
Categories of Data Subject
The Personal Data that may be processed may relate to event organizers, attendees, employees, contractors and contacts of both Hopin and Hopin’s customers.
Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Main Agreement, if applicable. For the purposes of this DPA.
“Affiliate” means, regarding a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise.
“Applicable Laws” means all applicable data protection and privacy legislation in force from time to time which apply to a Party relating to the use of Personal Data, including Data Protection Legislation; the California Consumer Privacy Act of 2018 (AB 375) (CCPA); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
“Controller”, “Processor”, “data subject”, “Personal Data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organizational measures” are as defined in the Data Protection Legislation. “Personal data” includes “personal information” as defined by the CCPA.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including but not limited to the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018; the Data Protection Act 2018; and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
“Hopin Personal Data” means any and all Personal Data that is provided to Provider or otherwise collected and/or accessed by Provider on behalf of Hopin and/or its Affiliates in the course of the Provider supplying the Services under the Main Agreement.
“Information System” means the systems and electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial/process controls systems and environmental control systems.
"SCCs" means the then current Standard Contractual Clauses for controller-to-processor available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en and, to the extent applicable, incorporated herein by reference.
"Sub-processor" means an entity engaged by a Processor to receive Personal Data from the Processor exclusively intended for the processing activities to be carried out as part of the Services.
1.1 For purposes of this DPA, Hopin may act as a Controller, or it may act as a Processor of one of its customers. Provider therefore acknowledges that it may act as a Processor of Hopin or a Sub-processor of Hopin. Where Hopin acts as a Processor, Hopin is obligated contractually and / or under Applicable Laws to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations placed on Processors in this DPA shall apply to Provider regardless of whether Provider acts as a Processor or Sub-processor.
1.2 Both parties will comply with the requirements of Applicable Laws, and shall not perform their obligations under this DPA or any other agreement or arrangement between them in such way as to cause either Party to breach any of its applicable obligations under Applicable Laws.
2.1 Without prejudice to the generality of Section 1.2, the Data Processor shall, in relation to any Personal Data processed in connection with the performance of its obligations under this DPA:
2.1.1 warrant and undertake to process Hopin Personal Data only on the documented written instructions of Hopin, which include this DPA and the Main Agreement, unless Provider is required by Applicable Laws to otherwise process that Personal Data. Provider shall not process Hopin Personal Data for Provider’s own purposes or for the benefit of anyone other than Hopin. Without limiting the foregoing, where Provider is relying on Applicable Laws as the basis for processing Hopin Personal Data, Provider shall promptly notify Hopin of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Provider from so notifying Hopin. The Provider must promptly notify Hopin if, in its opinion, Hopin’s instructions do not comply with Applicable Laws.
2.1.2 maintain a record of all categories of processing carried out on Hopin’s behalf and make it available to Hopin or the data protection supervisory authority upon request;
2.1.3 ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Hopin Personal Data and against accidental loss or destruction of, or damage to, Hopin Personal Data, appropriate to:
a) the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the Personal Data; and
b) the nature of the Personal Data to be protected;
in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting the Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident or personal data breach, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it).
2.1.4 only permit employees, staff, agents, or any other person or entity acting on its behalf to access Hopin Personal Data if that access is in compliance with this DPA, conducted by individuals who have a need-to-know and who have been appropriately trained and are bound by commercially reasonable and legally enforceable confidentiality, data privacy, and data security obligations that are no less protective of Hopin’s interests than those set forth in this DPA.
2.1.5. not transfer any Hopin Personal Data to a territory outside of the European Economic Area and the United Kingdom without the prior written consent of Hopin. Where such consent is granted, the Provider may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:
a) the Provider is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
b) the Provider participates in a valid cross-border transfer mechanism (such as the SCCs) under the Data Protection Legislation so that the Provider (and where appropriate Hopin) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR.
If any transfer of Hopin Personal Data between Hopin and the Provider requires execution of SCCs in order to comply with the Data Protection Legislation (where Hopin is the entity exporting Personal Data to the Provider outside the EEA), the parties will complete all the relevant details in and execute the SCCs and take all other actions required to legitimise the transfer. In such cases, Appendix 1 of the SCCs shall be replaced with Annex A of this DPA and Appendix 2 shall be replaced by Annex B.
If Hopin consents to appointment by the Provider of a Sub-processor located outside the EEA in compliance with the provisions of section 2.1.10 and 2.1.5, then Hopin authorises the Provider to enter into SCCs with the Sub-processor in Hopin’s name and on its behalf. The Provider will ensure that the all the relevant details are completed, and that all other actions required to legitimise and execute the SCCs are taken, and shall make the executed SCCs available to Hopin on request. In such cases Appendix 2 of the SCCs shall be replaced by Annex B.
If the parties are required to execute the SCCs in order to comply with the provisions of this section, then signature to the Main Agreement or this DPA shall also constitute signature of the SCCs by the parties.
2.1.6 take such technical and organizational measures as may be appropriate and provide all assistance reasonably required by Hopin at no additional cost to Hopin, to enable Hopin to comply with:
a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
b) its obligations under Applicable Laws, including its obligations relating to the security of processing, maintaining detailed records of processing activities (including the location of data), notification of a Personal Data breach to the data protection supervisory authority and to the data subject, data protection impact assessments as well as prior consultation with the data protection supervisory authority.
Provider warrants that in the event that any such request, question or complaint under this Section 2.1.6 is made directly to Provider, Provider shall immediately inform Hopin providing full details of the same.
2.1.7 in the event that Provider becomes aware of a Data Breach, Provider will, at Provider’s cost:
a) notify Hopin without undue delay (and at the latest within 48 hours of becoming aware of the Data Breach);
b) provide Hopin with a reasonably detailed description of the Data Breach, including the type of data that was the subject of the Data Breach and the identity and state or country of residence of each affected Data Subject as well as any other information that Hopin may reasonably request relating to the Data Breach, as soon as such information can be collected or otherwise becomes available;
c) promptly (and latest beginning within 48 hours of becoming aware of the Data Breach) investigate the Data Breach, make reasonable efforts to mitigate the effects and harm of the Data Breach in accordance with its obligations under Section 4 (Confidentiality and Security) above, and provide any other assistance that Hopin may reasonably request relating to the Data Breach; and
d) not disclose the existence of a Data Breach, including to Hopin’s customers, consumers, or the general public, without the express written permission of Hopin, except as necessary to inform others as required by Applicable Law.
2.1.8 upon termination or expiry of this DPA, Provider shall (at Hopin's election) destroy or return to Hopin all Hopin Personal Data (including all copies of Hopin Personal Data) in its possession or control (including any Hopin Personal Data Sub-processor to a third party for processing), unless any applicable law requires Provider to retain Hopin Personal Data.
2.1.9 Provider acknowledges that Hopin has the right to fully monitor and audit Provider’s compliance with its duties under this DPA and Applicable Laws, including provision of audit questionnaires, provision of security policies and summaries of assessments of compliance with any industry standards (such as ISO 27001, SSAE 16 SOC II), penetration testing and vulnerability scans, and inspections at the premises of Provider where Hopin Personal Data is processed; and Provider shall provide to Hopin, its authorized representatives and any such independent inspection body as Hopin may appoint, on reasonable notice: (a) access to Provider’s information processing premises and records; (b) reasonable assistance and cooperation of Provider’s relevant staff; and (c) reasonable facilities at Provider’s premises. The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider's management.
2.1.10 Provider shall not (and shall ensure that any person or entity providing services on Provider’s behalf shall not) engage a Sub-processor without prior written authorization from Hopin. Hopin consents generally to the appointment by Provider of Sub-processors engaged by Provider and brought to the attention of Hopin prior to the commencement of the Main Agreement.
Provider shall notify Hopin in advance of any new Sub-processors it intends to use, or any changes to the approved list. Hopin may object to such appointments of Sub-processors within fourteen (14) days of receipt of notice. If Hopin objects to such changes, Hopin will give Provider the opportunity to make a change in the service or recommend a change to Provider’s configuration to avoid processing of Personal Data by the objected-to new Sub-processor. If Provider’s proposed change is not acceptable to Hopin, Hopin may in its sole discretion terminate the Main Agreement without further liability or obligation to Provider.
Provider shall ensure that in relation to both existing and new Sub-processors:
a) any Sub-processor is contractually bound in writing to provide at least the same level of protection as is required by this DPA and complies with Applicable Laws;
b) Provider shall be fully responsible for, and liable to Hopin for acts and omissions of any Sub-processor as if they were Provider's own act or omission; and
c) Provider provide Hopin with copies of relevant excerpts from such contracts with any Sub-processors appointed, on request.
3.1 Provider will indemnify and defend Hopin, its clients, officers, directors, employees, agents, representatives and Affiliates (each an "Indemnified Party") from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Provider's (or its sub-processors) non-compliance with the requirements of this DPA.
4.1 This DPA will remain in full force and effect so long as:
a) the Main Agreement remains in effect; or
b) the Provider retains any Hopin Personal Data related to the Main Agreement in its possession or control.
4.2 Any provision of this DPA expressly or by implication should come into or continue in force on or after termination of the Main Agreement in order to protect Hopin Personal Data will remain in full force and effect.
4.3 The Provider's failure to comply with the terms of this Agreement is a material breach of the Main Agreement. In such event, Hopin may terminate the Main Agreement effective immediately on written notice to the Provider without further liability or obligation of Hopin.
4.4 If a change in Applicable Laws prevents either party from fulfilling all or part of its Main Agreement obligations, the parties may agree to suspend the processing of Hopin Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Hopin Personal Data processing into compliance with Applicable Laws within 14 days, either party may terminate the Main Agreement with immediate effect on written notice to the other party.
5.1 This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity.
5.2 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
5.3. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is (please specify briefly your activities relevant to the transfer):
Hopin, a provider of an online virtual events platform.
The data importer is (please specify briefly activities relevant to the transfer):
The Provider, who is providing Services to Hopin under the Main Agreement.
The personal data transferred concern the following categories of data subjects (please specify):
Individuals whose personal data or personal information Hopin elects to transfer to Provider for so that Provider can supply the Services in accordance with the Main Agreement. This may include event organizers, attendees, employees, contractors and contacts of both Hopin and Hopin’s customers.
Categories of data
The personal data transferred concern the following categories of data (please specify):
May include name, email address, billing and payment information, events booked, organized and attended, content genera
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
The provision and receipt of the Services under the Main Agreement.