ENTERED INTO BY:
Hopin Ltd., incorporated and registered in England and Wales with company number 12035150, whose registered office is at 5 Churchill Place, 10th Floor, London, E14 5HU (“Hopin”); and
“Vendor” is the entity identified in the signature block of the Main Agreement (defined below).
Each a “Party,” together the “Parties.”
The Parties have entered into an agreement for Vendor to provide certain services (the “Services”) to Hopin (the “Main Agreement”). This data processing addendum (the “DPA”) sets forth the terms on which the Parties will collect and process Personal Data in connection with the Services, and is hereby incorporated into the Main Agreement by reference.
This DPA applies to the extent that the processing of Personal Data is subject to Data Protection Legislation and takes effect from the date of the Main Agreement. This DPA will remain in full force and effect so long as the Main Agreement remains in effect or the Vendor retains any Personal Data related to the Main Agreement in its possession or control.
Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Main Agreement, if applicable. For the purposes of this DPA, terms shall have the following meanings:
a. “Affiliate” means, regarding a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise.
b. “Controller”, “Processor”, “data subject”, “Personal Data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organizational measures” are as defined in the Data Protection Legislation. “Personal Data” includes “personal information” as defined by the CCPA.
c. “Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time which apply to a Party relating to the use of Personal Data, including: (i) the General Data Protection Regulation ((EU) 2016/679) (the “EU GDPR”); (ii) the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) (the “UK GDPR”); (iii) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); (iv) the California Consumer Privacy Act (“CCPA”) and any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv) as well as any guidance and codes of practice issued by a competent data protection or supervisory authority; in each case as may be amended or superseded from time to time.
d. “EU C-to-C Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module One (Controller-to-Controller).
e. “EU C-to-P Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
f. “EU P-to-P Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
g. “Restricted Transfer” means a transfer of Personal Data under this DPA from the European Economic Area, Switzerland or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Legislation of the foregoing territories, to the extent that such transfers are subject to such Data Protection Legislation.
h. "SCCs” or “Standard Contractual Clauses" means: (i) where the EU GDPR applies, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en ("EU SCCs") and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum").
i. "Sub-processor" means an entity engaged by Vendor to receive Personal Data from the Vendor exclusively intended for the processing activities to be carried out as part of the Services.
- Relationship of the parties: For the purposes of this DPA, Hopin may act as a Controller, or it may act as a Processor on behalf or one of its customers. Vendor therefore acknowledges that it may act as: a) a Processor of Hopin; b) a Sub-processor of Hopin; or, c) a separate Controller to Hopin. Where Hopin acts as a Processor, Hopin is obligated contractually and / or under Data Protection Legislation to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations in this DPA shall apply to Vendor regardless of whether it acts as a Processor or Sub-processor. Where Vendor acts as an independent Controller, Vendor shall comply with the requirements of Data Protection Legislation and the following provisions of this DPA: section 4 a); section 6; Annex 1; Annex 2: and Annex 3. Vendor and Hopin shall not act as joint Controllers.
- Description of processing: A description of processing of Personal Data related to the Services is set out in Annex 1. The Parties acknowledge and agree that the description of processing covers the Services anticipated to be provided at the commencement of the Main Agreement and that it shall be updated in the event of a change to the Services.
- Vendor processing Personal Data: Vendor will:
a. comply with the requirements of Data Protection Legislation, and shall not perform its obligations under this DPA or any other agreement or arrangement with Hopin in such a way as to cause Hopin to breach any of its applicable obligations under Data Protection Legislation.
b. Without prejudice to the generality of the foregoing, the Vendor shall, in relation to any Personal Data processed in connection with the performance of its obligations under this DPA warrant and undertake:
i. to process Personal Data only on the documented written instructions of Hopin, which include this DPA and the Main Agreement, unless Vendor is required by Data Protection Legislation to otherwise process that Personal Data;
ii. to not process Personal Data for Vendor’s own purposes or for the benefit of anyone other than Hopin;
iii. to notify Hopin before performing any processing relying on Data Protection Legislation as the basis for processing Personal Data, unless those Data Protection Legislation prohibit Vendor from so notifying Hopin;
iv. to promptly notify Hopin if, in its opinion, Hopin’s instructions do not comply with Data Protection Legislation or other applicable laws; and
v. to maintain a record of all categories of processing carried out on Hopin’s behalf and make it available to Hopin or the data protection supervisory authority upon request.
- Confidentiality of processing: Vendor shall only permit employees, staff, agents, or any other person or entity acting on its behalf to access Personal Data if that access is in compliance with this DPA, conducted by individuals who have a need-to-know and who have been appropriately trained and are bound by commercially reasonable and legally enforceable confidentiality, data privacy, and data security obligations that are no less protective than those set forth in this DPA.
- Security: Vendor shall ensure that it has in place appropriate technical and organizational measures, which are no less protective than those set out in Annex 2, to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to: (a) the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the Personal Data; and (b) the nature of the Personal Data to be protected; in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting the Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident or personal data breach, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it).
- Restricted transfers: The parties agree that when the transfer of Personal Data from Hopin to Vendor is a Restricted Transfer and Data Protection Legislation requires that appropriate safeguards are put in place, it shall be subject to the prior written consent of Hopin, any such consent to be provided by way of completion of Annex 1(B). Where such consent is granted, the Vendor may only participate in a Restricted Transfer pursuant to a transfer mechanism which is compliant with Data Protection Legislation, which may include but is not limited to the appropriate SCCs as specified in Annex 3, which shall be deemed incorporated into and form a part of this DPA.
a. Vendor shall not (and shall ensure that any person or entity providing services on Vendor’s behalf shall not) engage a Sub-processor without prior written authorization from Hopin. Hopin consents generally to the appointment by Vendor of Sub-processors engaged by Vendor and brought to the attention of Hopin prior to the commencement of the Main Agreement by completion of Annex 1(B).
b. Vendor shall ensure that in relation to both existing and new Sub-processors:
i. any Sub-processor is contractually bound in writing to provide at least the same level of protection as is required by this DPA and in compliance with Data Protection Legislation;
ii. Vendor shall be fully responsible for, and liable to Hopin for acts and omissions of any Sub-processor as if they were Vendor's own act or omission; and
iii. Vendor shall provide at Hopin’s request copies of any information in relation to Sub-processors as may be required to demonstrate Vendor’s compliance with Data Protection Legislation.
- Changes to Sub-processors: Vendor shall notify Hopin (email@example.com) in advance of any Sub-processors it intends to use. Hopin may object to such appointments of Sub-processors within fourteen (14) days of receipt of notice. If Hopin objects to such changes, Hopin will give Vendor the opportunity to make a change in the service or recommend a change to Vendor’s configuration to avoid processing of Personal Data by the Sub-processor in question. If Vendor’s proposed change is not acceptable to Hopin, Hopin may in its sole discretion terminate the Main Agreement with consequences of termination as provided for in the Main Agreement.
- Cooperation and data subject rights:
a. Vendor shall take such technical and organizational measures as may be appropriate and provide all assistance required by Hopin at no additional cost to Hopin, to enable Hopin to comply with the rights of Data Subjects under Data Protection Legislation and its obligations under Data Protection Legislation, including its obligations relating to the security of processing, maintaining detailed records of processing activities (including the location of data), notification of a personal data breach to the data protection supervisory authority, to the data subject and other third parties, transfer impact assessments, data protection and/or privacy impact assessments as well as prior consultation with the data protection supervisory authority.
b. In the event that such request, correspondence, enquiry or complaint as referred to in section 10 a) above is made directly to Vendor, Vendor shall notify Hopin immediately on receipt and shall not respond directly without Hopin’s prior authorisation.
- Personal data breaches: In the event that Vendor becomes aware of a personal data breach, Vendor will, at Vendor’s cost:
a. notify Hopin without undue delay (and at the latest within 24 hours of becoming aware of the personal data breach);
b. provide Hopin with a reasonably detailed description of the personal data breach, including the type of data that was the subject of the personal data breach and the identity and state or country of residence of each affected data subject as well as any other information that Hopin may request relating to the personal data breach, as soon as such information can be collected or otherwise becomes available;
c. promptly (and no later than within 24 hours of becoming aware of the personal data breach) investigate, make reasonable efforts to mitigate the effects and harm of the personal data breach in accordance with its obligations under section 5 and 6 (Confidentiality and Security) above, and provide any other assistance that Hopin may request relating to the personal data breach; and
d. not disclose the existence of a personal data breach to any third party, including to Hopin’s customers, consumers, or the general public, without first obtaining the prior express written consent of Hopin. Hopin has the sole right to determine: (i) whether notice of the personal data breach is to be provided to any customer, individuals, regulators, law enforcement agencies, or others; and (ii) the form and content of such notice.
- Deletion or return of data: upon termination or expiry of this DPA, Vendor shall (at Hopin’s election) destroy or return to Hopin all Personal Data (including all copies) in its possession or control (including any Personal Data in the possession of a Sub-processor or provided by a Sub-processor to a third party for processing), unless any applicable law requires Vendor to retain Personal Data.
- Audit: Vendor acknowledges that Hopin has the right to fully monitor and audit Vendor’s compliance with its duties under this DPA and Data Protection Legislation, and Vendor shall provide to Hopin, its authorized representatives and any such independent inspection body as Hopin may appoint, on reasonable advance notice (which shall not be less than 30 days): (a) access to Vendor’s information processing premises and records; (b) reasonable assistance and cooperation of Vendor’s relevant staff; and (c) reasonable facilities at Vendor’s premises. Vendor will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Vendor’s management. Any audit permitted in compliance with this section shall be limited to once per calendar year unless: i) Vendor has experienced a personal data breach which impacted Hopin Personal Data; or ii) Hopin is able to show Vendor’s non-compliance with the DPA; or iii) a change to the scope of Services is contemplated or has taken place.
- Law enforcement: In the event that a law enforcement agency sends Vendor a demand for Hopin Personal Data, Vendor shall use best endeavours to redirect the law enforcement agency to request that Personal Data directly from Hopin. As part of this effort, Vendor may provide Hopin’s contact information to the law enforcement agency.
- California Consumer Privacy Act (“CCPA”) Compliance:
a. Assistance. Vendor will provide Hopin with all reasonably requested assistance and cooperation to enable Hopin to fulfil its obligations under the CCPA.
b. Handling Restrictions. Vendor may not: (a) sell any personal information received from Hopin or any customer of Hopin (including any information obtained through any web or mobile property operated by Hopin), (b) use such personal information, for avoidance of doubt, to create any consumer profile or to enhance, correct or augment information of any third party (including of any other customer of Vendor), or (c) use any such personal information except to perform requested services to and for the sole benefit of Hopin, provided that Vendor shall not be in violation of the foregoing where it employs personal information for the benefit of other entities receiving the services to the extent that such personal information is used solely to detect data security incidents, to prevent fraud, or other purposes strictly required by the CCPA. “Sell” and “personal information” shall have the definitions set forth in the CCPA.
a. This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity.
b. Any provision of this DPA expressly or by implication that comes into or continues in force on or after termination of the Main Agreement in order to protect Personal Data will remain in full force and effect.
c. Vendor's failure to comply with the terms of this DPA is a material breach of the Main Agreement. In such event, Hopin may terminate the Main Agreement effective immediately on written notice to the Vendor without further liability or obligation of Hopin.
d. This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
e. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.
Description of Processing Activities / Transfer
Annex 1 (A) List of Parties:
Annex 1 (B) Description of Processing/ Transfer
Set out below are the descriptions of processing/ transfers of Personal Data as contemplated as of the date of this DPA. Such descriptions are subject to change or may be supplemented pursuant to section 3.
- Module One (Controller to Controller) of the SCCs will apply where both Hopin and Vendor are separate data Controllers for Personal Data.
- Module Two (Controller to Processor) of the SCCs will apply where: Hopin is a Controller of Personal Data and Vendor is processing Personal Data.
- Module Three (Processor to Processor) of the SCCs will apply where both Vendor and Hopin are processing Personal Data.
- The EU C-to-C Transfer Clauses, EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses (as amended as specified by Part 2 of the UK addendum) shall be completed as applicable in accordance with the following:
a. In Clause 7, the optional docking clause will not apply;
b. In Clause 9, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in section 9 of this DPA;
c. In Clause 11, the optional language will not apply;
d. the competent supervisory authority shall be determined in accordance with clause 13;
e. the governing law for purposes of Clause 17 shall be the law of Ireland, save to the extent not permitted by UK law, in which case the law of England and Wales will apply;
f. for the purpose of clause 18, the Irish courts will have jurisdiction, save to the extent not permitted by UK law, in which case the courts of England and Wales will have jurisdiction. To the extent required by UK law, all references to EU and EU Member State law in the SCCs shall be read as references to the equivalent laws of England and Wales.
- In Annex I, Part A of the SCCs: The Data Exporter is Hopin and the Data Importer is Vendor, and the contact details are set forth in the Main Agreement. The roles of Data Exporter and Data Importer are set forth in the Application of this DPA Section of this DPA and as otherwise set forth in the Main Agreement.
- In Annex I, Part B of the SCCs: The categories of data subjects and nature and purpose of the processing are described in Annex 1 (B) of this DPA. It is not anticipated that sensitive data will be transferred. The frequency of the transfer is a continuous basis for the duration of the Main Agreement. The period for which the Personal Data will be retained is for the term of the Main Agreement or for as long as Vendor is permitted or required to retain the Personal Data. Annex 2 to this DPA serves as Annex II of the SCCs.
- Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above in Annex 1 (B), Annex 2 and section 4 of this Annex (as applicable) and table 4 in part 1 shall be deemed completed by selecting “data exporter”.
- For the purposes of table 2 in part of the UK Addendum, the parties confirm that the Personal Data received from Hopin will not be combined with personal data collected by Vendor.