Data Processing Addendum

‍Data Processing Addendum

ENTERED INTO BY:

Hopin Ltd, incorporated and registered in England and Wales with company number 12035150, whose registered office is at 5 Churchill Place, 10th Floor, London, E14 5HU, United Kingdom on its behalf and on behalf of its Affiliates (“Hopin”); 

and  

Customer, as identified in the Main Agreement (defined below).

Each a “party,” together the “parties.”

BACKGROUND

The parties have entered into an agreement for Hopin and, where applicable, its Affiliates to provide certain services to the Customer (the “Main Agreement”). This data processing addendum (the “DPA”) sets forth the terms on which the parties will collect and process personal data in connection with the Service and is hereby incorporated into the Main Agreement by reference.

Customer and Hopin each act as an independent controller of Participant Data. In all other circumstances, Customer is the controller of Customer Data and Hopin is the processor. 

APPLICATION OF THIS DPA

This DPA describes the commitments of Hopin and Customer concerning the processing of personal data in connection with the provision of the Service contemplated by the Main Agreement.

This DPA will apply to the processing of personal data under the Main Agreement, to the extent that such processing is subject to Data Protection Legislation, and takes effect from the date of the Main Agreement.

Where other language versions of this document exist, the English version will control.

DESCRIPTION OF DATA PROCESSING

Subject-matter

Processing of personal data related to the Service as described in the Main Agreement.

Nature and purpose

Processing of personal data to provide the Service as described in the Main Agreement.

Duration and Frequency

Term of the Main Agreement or for as long as Hopin is permitted or required to retain the personal data. Personal data will be transferred continuously where necessary to provide the Service to the Customer.

Types of personal data

“Participant Data” is any personal data relating to individuals in the creation of a Hopin account (or other means of access) to attend or engage with an event via the Service such as (a) first and last name; (b) contact details; (c) event participation information (e.g event name, time and date); (d) IP address; (e) any additional personal data provided directly to Hopin when registering for and engaging with the Service; and (f) any usage data, including metadata relating to an individual's interaction with the Service (e.g. length of visit, navigation paths, page views, page interaction information, timing, frequency and patterns of use).

“Event Data” is (a) any personal data contained in materials submitted by Customer in the course of creating or during an event (e.g. speaker bios); and (b) personal data embedded in Customer event related content (e.g. event recordings, participant chat transcripts). 

“StreamYard Data” is any personal data processed as part of the StreamYard studio and broadcasting service, which is not Participant Data or Event Data, (e.g. personal data contained in live and/or recorded video streams).

Categories of Data Subject

Individuals who participate in events. 

Individuals whose personal data is contained in Event Data and/or StreamYard Data. 

DEFINITIONS

“Affiliates” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity, including StreamYard, Inc., and which provides the Service. 

“Controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organisational measures” are as defined in the Data Protection Legislation. “Personal data” includes “personal information” as defined by the CCPA.

“Customer Data” means Event Data and/or StreamYard Data. 

“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time including (i) the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”); (ii) the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) (“UK GDPR”);  (iii) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.

“EU C-to-P Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).

“Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable laws of the foregoing territories, to the extent such transfers are subject to such applicable laws. 

“Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en (“EU SCCs”) and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).

“Service” has the meaning set forth in the Main Agreement but may include the Hopin event technology platform and service, Session service and/or the StreamYard studio and broadcasting service.

1. Compliance with Data Protection Legislation

1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. 

2 Customer’s Responsibilities

2.1 Customer will ensure that it has all necessary and appropriate consents and notices in place to enable lawful disclosure of Customer Data to Hopin and/or lawful collection or processing of Customer Data by Hopin on behalf of Customer for the purposes of this DPA.  Customer will not instruct Hopin to process any personal data, including Customer Data, in violation of Data Protection Legislation.

3. Hopin’s Responsibilities

3.1 Hopin shall comply with the requirements below, in relation to any Customer Data processed by Hopin as a processor on behalf of Customer as a controller:

3.1.1 Instructions: Hopin shall: (i) process Customer Data only on the documented written instructions of Customer, which include this DPA and the Main Agreement, unless Hopin is required by applicable laws to otherwise process Customer Data; (ii) where Hopin is relying on applicable laws as the basis for processing Customer Data, Hopin shall promptly notify Customer of this in advance, unless those applicable laws prohibit Hopin from doing so; and (iii) inform the Customer promptly if, in Hopin’s opinion, an instruction from the Customer infringes (or, if acted upon, might cause an infringement of) Data Protection Legislation;

3.1.2 Security: Hopin shall ensure that it has in place appropriate technical and organizational measures provided in https://hopin.com/security (the “Security Measures”), to protect against unauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to: the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Customer Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Data can be restored in a timely manner after a personal data breach, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);

3.1.3 Confidentiality of processing: Hopin shall ensure that all personnel who have access to and/or process Customer Data are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty);

3.1.4 Cooperation and data subject rights: Hopin shall assist Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to personal data breach notifications, impact assessments and consultations with supervisory authorities or regulators;

3.1.5 Personal data breaches: Hopin shall notify the Customer without undue delay on becoming aware of a personal data breach of Customer Data;

3.1.6 Deletion or return of data: Hopin shall, at the written direction of the Customer, delete or return Customer Data to the Customer, on termination of the DPA unless required by applicable laws to store the Customer Data;

3.1.7 Accountability: Hopin shall maintain complete and accurate records and information to demonstrate its compliance with Data Protection Legislation and provide the Customer with appropriate evidence at its reasonable request; and

3.1.8 Audits: Hopin shall allow for audits by the Customer’s designated auditor to be agreed with Hopin in advance, only so far as is necessary in order to demonstrate compliance with this DPA, provided that: the Customer provides Hopin with no less than 30 days’ notice of such audit or inspection; it is conducted at Customer’s sole expense; and the parties agree to the scope, duration, and purpose of such audit or inspection in advance, including reasonable reimbursement of Hopin for time expended by Hopin or its sub-processors. Customer’s designated auditor shall conduct its audit in a manner that will result in minimal disruption to Hopin’s business operations and shall not be entitled to receive or obtain access to any system that also stores the data or information of other clients or customers of Hopin or any other confidential information of Hopin that is not directly relevant for the authorized purposes of the audit. If the Customer becomes privy to any confidential information of Hopin as a result of this Section 3.1.8, the Customer shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Customer acknowledges that Hopin shall only be required to use reasonable endeavors to assist the Customer in procuring access to any third party assets, records or information as part of any audit.

4. Third party processors

4.1 The Customer acknowledges and consents generally to the appointment by Hopin of third parties as sub-processors of Customer Data being processed under this DPA. The names and locations of sub-processors used for the processing to support the Service under this DPA are listed at https://hopin.com/security.

4.2 Hopin confirms that: (a) it shall impose on all sub-processors substantially the same data protection obligations as set out in this DPA; and (b) Hopin shall remain fully liable for the actions of its sub-processors at all times.

4.3 Hopin shall give Customer notice of the appointment of any new sub-processors by updating the lists of sub-processors referenced in Section 4.1 above. Customer may reasonably object to such appointments within 10 UK business days of such notice for important reasons relating to data protection which have been proven to Hopin. If Customer objects to such changes on this basis, Customer will give Hopin the opportunity to make a change in the service or recommend a commercially reasonable change to Customer’s configuration to avoid processing of Customer Data by the objected-to new sub-processor without unreasonably burdening Customer. Insofar as the Customer does not object within 10 days after the notification date, the Customer’s right to object to the corresponding engagement lapses. If the Customer objects in accordance with this Section 4.3, Hopin is entitled to terminate the Main Agreement on reasonable notice.

5. Restricted Transfers

5.1 Insofar as the Service leads to a Restricted Transfer, Hopin (acting also on behalf of StreamYard, Inc. where applicable) and Customer hereby enter into the EU C-to-P Transfer Clauses and the UK Addendum (where applicable) on the basis that the exporter is Customer and the importer is Hopin US, Inc. and/or StreamYard, Inc. and on the basis that:

(a) To the extent that Customer is located in the EU and/or the personal data is protected by the EU GDPR, the EU C-to-P Transfer Clauses will be completed as follows:

(i) in Clause 7, the optional docking clause will not apply;

(ii) in Clause 9, Option 2 will apply, and pursuant to clause 9(1) Customer acknowledges and agrees that Hopin may engage new sub-processors in the manner described in this DPA and the notice period will be 10 UK business days;

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17, the EU C-to-P Transfer Clauses will be governed by the jurisdiction of Ireland;

(v) in Clause 18, disputes shall be resolved before the courts in the jurisdiction of Ireland;

(iv) the competent supervisory authority shall be the Irish Data Protection Commission;

(vii) for the purposes of Annex I to the EU C-to-P Transfer Clauses: (a) the categories of data transferred are Event Data and/or StreamYard Data (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are set out above under “Description of Data Processing”. It is not anticipated that sensitive data will be transferred; and

(viii) For the purpose of Annex II the security measures are specified at https://hopin.com/security, which are hereby incorporated by reference.

(b) To the extent the Customer is located in the UK and/or the personal data is protected by the UK GDPR, the UK Addendum will apply as follows:

(i) The EU C-to-P Transfer Clauses (as amended as specified by Part 2 of the UK Addendum) are completed as set out above in Section 5.1(a); and

(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out above in Section 5.1(a) (as applicable) and table 4 in Part 1 shall be deemed completed by selecting "data importer".

5.2 To the extent there is any conflict between this DPA and/or the Main Agreement with any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 

5.3 To the extent that Hopin adopts an alternative data transfer mechanism (including any new version of or successor to the Standard Contractual Clauses) ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall upon notice to Customer and an opportunity to object, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Legislation applicable to the EU and/or the UK and extends to territories to which Customer Data is transferred).

6. California Consumer Privacy Act (“CCPA”) 

6.1 Hopin shall not sell the Customer Data containing personal information (as the terms “sell” and “personal information” are defined under the CCPA) of residents of the state of California, nor receive any personal information as consideration for any service provided by Hopin as a service provider under this DPA.  

6.2 Additionally, Hopin shall not collect, retain, share or use any personal information except as necessary for a business purpose pursuant to a written contract (i.e., to provide and operate the Service) and subject to the restrictions specified in Section 1798.140 (v) of the CCPA and refrain from taking any action that would cause any transfers of personal information received from Customer to qualify as "selling personal information" under the CCPA or any other similar applicable privacy laws.

7. General

7.1 This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity. This DPA will remain in full force and effect so long as the Main Agreement remains in effect.

7.2 If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.

7.3 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

7.4 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.

‍