Data Processing Agreement

We updated our DPA to reflect the new versions of the Standard Contractual Clauses issued by the European Commission on June 4, 2021.  For Customers who purchased before September 27, 2021, you can view your DPA at https://hopin.com/legal/dpa-pre-scc2021.

Data Processing Agreement 

ENTERED INTO BY:

Hopin Ltd, incorporated and registered in England and Wales with company number 12035150, whose registered office is at 5 Churchill Place, 10th Floor, London, E14 5HU, United Kingdom on its behalf and on behalf of its Affiliates (“Hopin”); 

and  

Customer, the entity identified in the signature block of the Main Agreement (defined below).

Each a “party,” together the “parties.”

BACKGROUND

Customer and Hopin each act as an independent Controller of Participant Data. Each party represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such personal data and, as applicable, it has the right to share such personal data with the other party. In all other circumstances, Customer is the Controller of Customer Data and Hopin is the Processor. 

The parties have entered into an agreement for Hopin and, where applicable, its Affiliates to provide certain services to the Customer (the “Main Agreement”). This data processing agreement (the “DPA”) sets forth the terms on which the parties will collect and process personal data in connection with the Service and is hereby incorporated into the Main Agreement by reference.

APPLICATION OF THIS DPA

This DPA describes the commitments of Hopin and Customer concerning the processing of personal data in connection with the provision of the Services contemplated by the Main Agreement.

This DPA will always apply to the processing of personal data under the Main Agreement and takes effect from the date of the Main Agreement.

Where other language versions of this document exist, the English version will control.

DESCRIPTION OF DATA PROCESSING

The below sets out the subject-matter, nature and purpose, duration of the processing, the type(s) of personal data being processed, and the categories of data subjects that may be processed depending on the nature of the Services and role of each of Hopin and Customer:

Data Processing Details

Subject-matter

Processing of data related to the Services as described in the Main Agreement.

Nature and purpose

Processing data for the purpose of managing access to Hopin’s platform and associated web-based live streaming by Customer and end users to provide the Services contemplated by the Main Agreement.

Duration and Frequency

Term of the Main Agreement or for as long as Hopin is permitted or required to retain the personal data. Data will be transferred continuously where necessary to provide the Services to Customer.

Types of personal data

“Participant Data” is data provided by end users when they create a Hopin account to attend an event on the Hopin Service including (a) image; (b) contact details and address; (c) first and last name; (d) alias; (e) event participation information (like event name and date and time of event); and (f) any additional information provided independently by individuals in connection with Customer’s events on the Hopin Service.

“Event Content” which includes (a) materials submitted by Customer in the course of creating or during an Event; and (b) personal data embedded in Customer event related content. 

“StreamYard Information” which includes any StreamYard information which is not Participant Data or Event Content which is processed in the course of providing the Services, including data provided as part of the StreamYard Service. 

Categories of Data Subject

Participants are end users who attend Customer events. 

Individuals in Event Content and whose personal information is comprised in StreamYard Information. 

DEFINITIONS

“Affiliates” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. For the purpose of this DPA, Hopin Ltd’s Affiliates comprise StreamYard, Inc., a Delaware corporation with a place of business located at 2810 N. Church St., Wilmington, DE 19802. 

“Applicable Laws” means all applicable data protection and privacy legislation in force from time to time which apply to a Party relating to the use of personal data, including the Data Protection Legislation and the California Consumer Privacy Act of 2018 (AB 375) (CCPA). 

“Business” is as defined in the CCPA.

“Controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organisational measures” are as defined in the Data Protection Legislation. “Personal data” includes “personal information” as defined by the CCPA.

“Customer Data” means Event Content and StreamYard Information. 

“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended), together with all data protection, privacy and security laws applicable in the United Kingdom; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

“EU C-to-P Transfer Clauses” means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).

“EU P-to-C Transfer Clauses” means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Four (Processor-to-Controller).

“Hopin Service” means the Hopin event technology platform and services, excluding the StreamYard Service. 

“Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Applicable Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Laws. 

“Standard Contractual Clauses” mean the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.

“Services” means collectively, the Hopin Service and StreamYard Service.

“StreamYard Service” means the StreamYard studio and broadcasting services, excluding the Hopin Service.

1. Compliance with Data Protection Legislation

1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Section 1.1 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.

2 Customer’s Responsibilities

2.1 Without prejudice to the generality of Section 1.1, Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Data to Hopin and/or lawful collection or processing of Customer Data by Hopin on behalf of Customer for the duration and purposes of this DPA.  Customer will not instruct Hopin to process any personal data, including Customer Data, in violation of Data Protection Legislation.

2.2 Customer is responsible for the lawfulness of the processing of Customer Data. If a data subject, regulator or other third party asserts a claim or brings regulatory action against Hopin based on the unlawfulness of processing Customer Data, Customer shall indemnify Hopin, its directors, agents and officers, against any and all costs, expenses and damages that Hopin suffers as a result.

3. Hopin’s Responsibilities

Without prejudice to the generality of Section 1.1, Hopin shall, in relation to any personal data processed in connection with the performance by Hopin of its obligations under this DPA:

3.1 process Customer Data only on the documented written instructions of Customer, which include this DPA and the Main Agreement, unless Hopin is required by Applicable Laws to otherwise process Customer Data. Without limiting the foregoing, where Hopin is relying on Applicable Laws as the basis for processing Customer Data, Hopin shall promptly notify Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Hopin from so notifying Customer;

3.2 ensure that it has in place appropriate technical and organizational measures provided in https://hopin.com/security (the “Security Measures”), to protect against unauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to: the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Customer Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);

3.3 ensure that all personnel who have access to and/or process Customer Data are obliged to keep Customer Data confidential;

3.4 not transfer any Customer Data outside of the European Economic Area and the United Kingdom unless either: the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU) 2016/679), that the third country (or sector thereof), territory, or international organization to which personal data is to be transferred, ensures an adequate level of protection; or pursuant to an transfer mechanism that is compliant with Data Protection Legislation, which may include but is not limited to approved Standard Contractual Clauses;

3.5 assist Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

3.6 notify the Customer without undue delay, and where practicable, within 48 hours, on becoming aware of a personal data breach of Customer Data;

3.7 at the written direction of the Customer, delete or return Customer Data and copies thereof to the Data Controller on termination of the DPA unless required by Applicable Law to store the Customer Data;

3.8 maintain complete and accurate records and information to demonstrate its compliance with this DPA and provide the Customer with appropriate evidence at the latter’s reasonable request; 

3.9 allow for audits by the Customer’s designated auditor to be agreed with Hopin in advance, only so far as is necessary in order to demonstrate compliance, provided that: the Customer provides Hopin with no less than 30 days’ notice of such audit or inspection; is conducted at Customer’s sole expense; and the parties agree to the scope, duration, and purpose of such audit or inspection in advance, including reasonable reimbursement of Hopin for time expended by Hopin or its sub-processors. Customer’s designated auditor shall conduct its audit in a manner that will result in minimal disruption to Hopin’s business operations and shall not be entitled to receive or obtain access to any system that also stores the data or information of other clients or customers of Hopin or any other confidential information of Hopin that is not directly relevant for the authorized purposes of the audit. If the Customer becomes privy to any confidential information of Hopin as a result of this Section 3.9, the Customer shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Customer acknowledges that Hopin shall only be required to use reasonable endeavors to assist the Customer in procuring access to any third party assets, records or information as part of any audit; and 

3.10 inform the Customer immediately if, in Hopin’s opinion, an instruction from the Customer infringes (or, if acted upon, might cause an infringement of) Data Protection Legislation.

4. Third party processors

4.1 The Customer acknowledges and consents generally to the appointment by Hopin of third parties as sub-processors of Customer Data being processed under this DPA. The names and locations of sub-processors used for the processing to support the Services under this DPA are listed at https://hopin.com/security.

4.2 Hopin confirms that: (a) it shall impose on all sub-processors the same data protection obligations as set out in this DPA; and (b) Hopin shall remain fully liable for the actions of its sub-processors at all times.

4.3 Hopin shall give Customer notice of the appointment of any new sub-processors by updating the lists of sub-processors referenced in Section 4.1 above. Customer may reasonably object to such appointments within ten (10) UK business days of such notice for important reasons which have been proven to Hopin. If Customer objects to such changes, Customer will give Hopin the opportunity to make a change in the service or recommend a commercially reasonable change to Customer’s configuration to avoid processing of personal data by the objected-to new sub-processor without unreasonably burdening Customer. Insofar as the Customer does not object within 10 days after the notification date, the Customer’s right to object to the corresponding engagement lapses. If the Customer objects, Hopin is entitled to terminate the Main Agreement on reasonable notice.

5. Restricted Transfers

5.1 Hopin Ltd is located in the United Kingdom, which has been recognised by the European Commission as offering a level of data protection which is essentially equivalent to that provided in the European Union. 

5.2 Insofar as the Services lead to a Restricted Transfer of personal data from the United Kingdom, Hopin undertakes to ensure that such transfers comply with Data Protection Legislation including through the use of appropriate Standard Contractual Clauses. 

5.3 Insofar as Hopin, acting as a Processor, makes a Restricted Transfer of personal data to Customer, the EU P-to-C Transfer Clauses shall apply. 

5.4 If Customer is only purchasing StreamYard Service, the EU C-to-P Transfer Clauses shall apply. 

5.5 To the extent there is any conflict between this DPA and/or the Main Agreement with any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 

5.6 For the purposes of the Standard Contractual clauses: (a) The option under clause 7 shall not apply; (b) Option 2 under clause 9 shall apply; (c) Pursuant to clause 9(1) Customer acknowledges and agrees that Hopin may engage new sub-processors in the manner described in this DPA and the notice period will be 10 UK business days; (d) The option under clause 11 shall not apply; (e) The competent supervisory authority shall be determined in accordance with clause 13 and will depend upon the location of the data exporter; (f) the governing law for the purpose of clause 17 shall be the law of Ireland, save to the extent not permitted by UK law, in which case the law of England and Wales will apply; (g) for the purpose of clause 18, the Irish courts will have jurisdiction, save to the extent not permitted by UK law, in which case the courts of England and Wales will have jurisdiction. To the extent required by UK law, all references to EU and EU Member State law in the Standard Contractual Clauses shall be read as references to the equivalent laws of England and Wales. 

5.7 For the purposes of the Appendix to the Model Clauses: (a) the categories of data transferred are Event Content and StreamYard Information (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are set out above under “Description of Data Processing”. It is not anticipated that sensitive data will be transferred.

5.8 For the EU C-to-P Transfer Clauses, the exporter is Customer and the importer is StreamYard, Inc. Customer’s and StreamYard’s contact information is set forth in the Main Agreement. For the purpose of Annex II and Annex III, the security measures and the list of sub-processors are specified at https://hopin.com/security, which are hereby incorporated by reference. For the purposes of Annex I.C, if Customer is established in an EU Member State, the supervisory authority with territorial jurisdiction over Customer shall be the competent supervisory authority. If Customer is not established in an EU Member State, but has appointed a representative, the supervisory authority of the Member State in which the representative is appointed shall act as competent supervisory authority. If Customer is not established in an EU Member State and has not appointed a representative, the Irish Data Protection Commission shall act as competent supervisory authority. Where Customer is established in the United Kingdom, the Information Commissioner's Office shall act as competent supervisory authority. 

5.9 For the EU P-to-C Transfer Clauses, the exporter is Hopin and the importer is Customer. Customer’s and Hopin’s contact information is set forth in the Main Agreement.

6. General

6.1 This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity. This DPA will remain in full force and effect so long as: (a) the Main Agreement remains in effect; or (b) Hopin retains any personal data related to the Main Agreement in its possession or control.

6.2 If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.

6.3 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.